Unable to retrieve LDAP attribute in original format

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Unable to retrieve LDAP attribute in original format

ST Wong (ITSC)
Hi all,

We've upgraded freeradius from 2.x to 3.0.21.   We note that LDAP attributes are always returned as hex string and we're unable to get the attribute as it is.
e.g. we defined in mods-enabled/ldap:

        update {
                control:NT-Password             += 'sambaNtPassword'


while sambaNtPassword value in LDAP is just alphanumeric string without any escape character.

Debug log shows the value in hex (decoding the hex into ASCII matches with the value in LDAP):

Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: Processing user attributes
Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: NT-Password := 0x3034324544323534394233353637304441443342394130374444424339363233


Then we got error "NT-Password has not been normalized by the 'pap' module (likely still in hex format).  ".

Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2:   authenticate {
Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2:     modsingle[authenticate]: calling mschap (rlm_mschap)
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: NT-Password has not been normalized by the 'pap' module (likely still in hex format).  Authentication may fail
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured.  Cannot create NT-Password
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured.  Cannot create LM-Password


Data in LDAP server works in freeradius 2.x.
Would anyone please help?

Thanks a lot.
Regards
/ST Wong

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Unable to retrieve LDAP attribute in original format

ST Wong (ITSC)
Hi all,

Problem resolved after adding pap in authorize session which does the normalization.    
Sorry for the careless mistake in setup.  

Thanks and rgds
/ST Wong

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+st=[hidden email]> On Behalf Of ST Wong (ITSC)
Sent: Wednesday, June 17, 2020 9:21 AM
To: [hidden email]
Subject: Unable to retrieve LDAP attribute in original format

Hi all,

We've upgraded freeradius from 2.x to 3.0.21.   We note that LDAP attributes are always returned as hex string and we're unable to get the attribute as it is.
e.g. we defined in mods-enabled/ldap:

        update {
                control:NT-Password             += 'sambaNtPassword'


while sambaNtPassword value in LDAP is just alphanumeric string without any escape character.

Debug log shows the value in hex (decoding the hex into ASCII matches with the value in LDAP):

Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: Processing user attributes Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: NT-Password := 0x3034324544323534394233353637304441443342394130374444424339363233


Then we got error "NT-Password has not been normalized by the 'pap' module (likely still in hex format).  ".

Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2:   authenticate {
Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2:     modsingle[authenticate]: calling mschap (rlm_mschap)
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: NT-Password has not been normalized by the 'pap' module (likely still in hex format).  Authentication may fail Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured.  Cannot create NT-Password Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured.  Cannot create LM-Password


Data in LDAP server works in freeradius 2.x.
Would anyone please help?

Thanks a lot.
Regards
/ST Wong

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html