I owe you an apology, I said not to edit /etc/raddb/ldap.attrmap, but
you do. I always forget that the clear text password mapping is not in
ldap.attrmap by default, I assume that because of the inherent security
risks. By forcing you to add it you'll be forcefully aware of what
you've done. Here's the issue, you don't want unprivileged user's from
reading someones password from the directory. It's vital you protect the
clear text password with some type of access control in your ldap
server. How you do that depends on the particular ldap server you're
using. You might consider using precomputed hashes such as LT and NT.
That would mitigate the exposure of a clear text password, but hashes
should be protected as well by access control.
Now to make matters a touch bit more complicated FreeRADIUS changed how
it accessed the clear text password in its set of attributes. In older
versions of FreeRADIUS it was known as User-Password, but that produced
an unfortunate ambiguity and it was later modified to be
Cleartext-Password, I'm sorry but I don't remember the version this was
modified in.
For old versions of FreeRADIUS you'll need this in ldap.attrmap
checkItem User-Password userPassword
For modern versions of FreeRADIUS you'll need this in ldap.attrmap
checkItem Cleartext-Password userPassword
If you're still having problems then please follow-up with the full
contents of your config file (not snippets) and the output of
radiusd -X.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
