auth to LDAP via two mechanisms

Rob Shepherd rob at techniumcast.com
Mon Aug 21 11:06:52 CEST 2006


Alan DeKok wrote:
> Rob Shepherd <rob at techniumcast.com> wrote:
>> I'll use PAP (ldap auth)
> 
>   Please don't.  It makes everything harder.

OK.

> 
>   LDAP is a database, not an authentication server.  Have the server
> read the clear-text password from LDAP, and the server will figure out
> how to authenticate the user.  Remove "ldap" from the "authenticate"
> section.  It's just not necessary.

No clear-text is stored in LDAP. I have MD5 in userPassword and the two 
samba hashes.
The cisco kit, VPN concentrator and switches etc, supply a clear text 
password at radius. I figured my only option was to PAP-to-LDAP.

Is there an alternative for this situation?


> 
>>  from the VPN concentrator but mschapv2 from the 
>> wireless, as it'll go through a peap or eap-tls tunnel. I have NT and LM 
>> hashes already in the LDAP, I just need to extract them...
> 
>   And how I get the nt/lm hashes from ldap and do mschapv2..
> 
>   ldap.attrmap, and the server will figure out what to do.

Thanks.

-- 
Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
rob at techniumcast.com | 01248 675024 | 07776 210516



More information about the Freeradius-Users mailing list