Suggest the following patch for LDAP+EAP-TTLS+PAP+CRYPT

Daniel Larsson daniel.larsson at servicefactory.com
Mon Nov 6 19:32:47 CET 2006 

Juan C. Sanchez-DelBarrio wrote:
> Hi Alan,
>
> I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but
> you need to have the LDAP User-Password in plain-text. Our security
> requirement in the LDAP database is that the User-Password must be
> ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP
> permits us the authentication with CRYPT password. But, the problem is
> that LDAP database includes hash header before password, {crypt}XXXXX.
> How do you compare both passwords?????
>
> 	XXXX == {crypt}XXXX
>
> I propose the next solution:
>
> 	XXXX == XXXX
>
> Other solution???
>
> Thanks!
>   
If you can't use rlm_ldap authentication, you could make the crypt hash
of the passwords yourself, and store it in a normal "directory string"
attribute in LDAP, then export it from rlm_ldap via the ldap.attrmap
file. If you need to store the password as a proper password in LDAP, I
would suggest removing the "{CRYPT}" prefix through some separate module
(e.g. exec), and not in rlm_ldap.
> Alan DeKok wrote:
>   
>> "Juan C. Sanchez-DelBarrio" <carlos.sanchez at bsc.es> wrote:
>>     
>>> I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT
>>> PASSWORD. This feature would permit us to cipher the plain password in
>>> LDAP using CRYPT hash and compare the CRYPT hash of user password from
>>> LDAP with PAP authentication (crypt).
>>>       
>>   Why?  The server already supports pulling the crypt'd password from
>> LDAP, and comparing it to the users password via rlm_ldap.
>>
>>   Alan DeKok.
>> --
>>   http://deployingradius.com       - The web site of the book
>>   http://deployingradius.com/blog/ - The blog
>> - 
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>>     
>
>
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20061106/98e3b046/attachment.pgp>

More information about the Freeradius-Devel mailing list