Suggest the following patch for LDAP+EAP-TTLS+PAP+CRYPT

Juan C. Sanchez-DelBarrio carlos.sanchez at bsc.es
Mon Nov 6 17:35:23 CET 2006


Hi Alan,

I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but
you need to have the LDAP User-Password in plain-text. Our security
requirement in the LDAP database is that the User-Password must be
ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP
permits us the authentication with CRYPT password. But, the problem is
that LDAP database includes hash header before password, {crypt}XXXXX.
How do you compare both passwords?????

	XXXX == {crypt}XXXX

I propose the next solution:

	XXXX == XXXX

Other solution???

Thanks!

Alan DeKok wrote:
> "Juan C. Sanchez-DelBarrio" <carlos.sanchez at bsc.es> wrote:
>> I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT
>> PASSWORD. This feature would permit us to cipher the plain password in
>> LDAP using CRYPT hash and compare the CRYPT hash of user password from
>> LDAP with PAP authentication (crypt).
> 
>   Why?  The server already supports pulling the crypt'd password from
> LDAP, and comparing it to the users password via rlm_ldap.
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html


-- 
Juan C. Sanchez-DelBarrio
BSC-CNS
http://www.bsc.es



More information about the Freeradius-Devel mailing list