Hi list,
I have a problem authenticating users via a LDAP server (Netscape
Directroy Server 6.1).
I have to check against an attribute called "clearpassword" which is SHA
enrypted.
Reading out the "clearpassword"-data works fine, also if I use readtest
with the enrypted password and pap encryption_schme = clear.
---
rlm_pap: login attempt by "test" with password
{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
rlm_pap: Using password {SHA}qUqP5cyxm6YcTAhzx5Hph5gvu9M= for user test
authentication.
rlm_pap: Using clear text password.
rlm_pap: User authenticated succesfully
modcall[authenticate]: module "pap" returns ok
---
If I set the encryption_scheme to "sha1" and send the cleartext password
to the RADIUS I get a reject. I also get the reject if i strip out the
password_header = "{SHA}".
---
rlm_pap: login attempt by "test" with password test
rlm_pap: Using password {SHA}qUqP5cyxm6YcTAhzx5Hph5gvu9M= for user test
authentication.
rlm_pap: Using SHA1 encryption.
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject
---
rlm_pap: login attempt by "test" with password test
rlm_pap: Using password qUqP5cyxm6YcTAhzx5Hph5gvu9M= for user test
authentication.
rlm_pap: Using SHA1 encryption.
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject
modcall: group authtype returns reject
---
The slappasswd from openLDAP gives me the correct data:
---
slappasswd -h {SHA} -s test
{SHA}qUqP5cyxm6YcTAhzx5Hph5gvu9M=
---
Is there just something misconfigured or is SHA not SHA1? Couldn't find
anything useful on the net.
Any help is definitely appreciated!
TIA!
Uli Walcher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
