On 07/23/2010 02:59 PM, Alan DeKok wrote:
Tom Leach wrote:
To correct the bind problem, I added an ACL to the directory to allow
'uid=admin,o=radtree' to access the userPassword attribute, then
configured the ldap module to use 'uid=admin,o=radtree' as the identity
and 'secret' as the password. Now the bind succeeds, the -X output says
that it's mapping userPassword -> Crypt-Password ==
"{crypt}4gOgBZqZgtwIw"
The "Crypt-Password" attribute is supposed to be the crypt'd version
of the password *without* the "{crypt}" header. Change the mapping from
"userPassword -> Crypt-Password" to "userPassword -> User-Password", and
it will work.
The PAP module will look for the "{crypt}" header, and create a
Crypt-Password with the appropriate value.
Hmm ...
Just from looking at the rlm_ldap code (not actual testing) I thought if
auto_header was set to True in the ldap config then rlm_ldap after
looking up the configured password attribute would perform the steps you
describe above. (strip the hash prefix and add a new attribute with the
correct attribute type for the hash type)
Am I confused?
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
