Tim Palmer wrote: > With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP > server, and after putting in a Cleartext-Passwrod entry in > ldap.attrsmap,
That's the issue. DON'T do that. > rlm_ldap would authorize fine, and everything seemed ok, > except I couldn't get pap to understand the encryption scheme: > > [pap] Found existing Auth-Type, not changing it. > ++[pap] returns noop > Found Auth-Type = PAP > +- entering group PAP {...} > [pap] login attempt with password "testing" > [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." Because you told it that the userPassword LDAP field was a clear-text password. The PAP module is *supposed* to do the "auto-header" thing itself. It can't, becaue you told it that the above text WAS the password. > Is it only some odd ball, simplistic configurations like mine that this > should be required? I was unable to find any mention of this as an ldap > module setting except in rlm_ldap.c, which I didn't think to look in > until after the fact. The LDAP auto-header configuration is deprecated. The PAP module is supposed to do that work now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html