I'm trying to authenticate via OpenLDAP-2.0.23 using the ldap module in the radiusd.conf file and using ldap authentication and authorization in the users file. The authentication works just fine when I add a dialup account in the ldap database and use a cleartext password for the userPassword attribute (actually, when you assign a clear text password to the userPassword attribute, I believe the default hash is SHA1). However, if I put a DES hashed password from an existing /etc/shadow file into the userPassword attribute using the following notation:
userPassword: (crypt)rPjsdFT9er*6o authentication breaks down. I can't authenticate to a crypt hashed password in the ldap database. Does anyone have a possible explanation for this behavior? During authentication to the ldap server, does radius send the password to the ldap server in clear text (notwithstanding the use of SSL which would encrypt the entire transaction)? I'm thinking the process goes as follows: NAS encrypts the cleartext password from the dialup user with shared secret FreeRadius decrypts the password from the NAS using the shared secret FreeRadius sends clear text password to LDAP server Is this the correct understanding? When radius tries to authenticate via ldap, does it do so with a bind operation or some other type of authentication operation? In the current ldap config file, I allow anonymous "auth" access to userPassword. Is the radius authentication to ldap using "auth" access? I'm thinking my problem is quite likely an OpenLDAP issue, but I can't get any response from the openLDAP mailing list - it appears to be down or gone - and I'm betting there are other freeradius users out there who are using ldap authentication with openldap who have probably dealt with this and solved the problem. Thanks very much, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
