Alan, changing from User-Password to Password-With-Header brought back
the 'No "known good" password' error. I'm going through the rlm_pap.c
code to try to see what's going on here. I haven't found any docs yet
on what the various mapping possibilities are and what they do. Do you
have a pointer to any so I don't keep bugging you and the list?
I agree with the 'get it work, then tune it' approach. That's where I'm
at now. It's working, I'm just trying to make all the messages go away :)
Thanks!
Tom
Here is a snippet from radiusd -X:
[ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items
[ldap-server1] looking for check items in directory...
[ldap-server1] userPassword -> Password-With-Header ==
"{crypt}4gOgBZqZgtwIw"
[ldap-server1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap-server1] user testuser authorized to use remote access
Date: Tue, 27 Jul 2010 09:00:23 +0200
From: Alan DeKok <al...@deployingradius.com>
Subject: Re: Another LDAP/RADIUS integration problem.
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <4c4e8407.3030...@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Tom Leach wrote:
Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password
userPassword" to "checkItem User-Password userPassword" and it's
authenticating now, but I now have a new message in the debug output and
I'm not sure if it's a problem, suggestion, or otherwise.
It's a suggestion. But the first step was to get it to work.
I can't
change the LDAP directory to contain actual cleartext passwords, so it
may just be something that I have to live with.
Change the mapping in ldap.attrmap to:
checkItem Password-With-Header userPassword
That should *still* work, and will remove the warning.
The process here is to first get it to work, and then get it to work
better.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html