LDAP ntPassword and lmPassword help

Alan DeKok aland at deployingradius.com
Fri Mar 20 07:24:11 CET 2009


Padam J Singh wrote:
> I have a LDAP server which contains ntPassword and lmPassword attributes
> like following:
...
> lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE
> ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67

  Ugh.

> FR 2.1.1 is configured for doing 802.1x authentication. While doing the
> authentication, I obviously get Invalid NT-Password and Invalid
> LM-Password error. The error stems from the fact that the length is
> incorrect because of the additional {ENC} prefix.
> 
> Is there some configuration where I can set something so it ignores the
> initial {ENC} while doing the password comparison?

  Edit raddb/dictionary.  Add a new "string" attribute:

ATTRIBUTE ENC-NT-Password string 3000

  Edit raddb/ldap.attrmap.  Delete the entries containing LM-Password.

  Edit raddb/ldap.attrmap.  Find the entries containing NT-Password, and
change them to ENC-NT-Password.

  Edit raddb/sites-available/default (I presume you're running a recent
version of the server...)  Look for the "authorize" section.  In it,
look for the "ldap" module.  Change it to:

authorize {
	...

	ldap  # leave this here

	#  all of this goes on one line	
	if (control:ENC-NT-Password && (control:ENC-NT-Password =~ /{ENC}(.*)/) {
		update control {
			NT-Password := "%{1}"
		}
	}

	...
}

  That should work.

  Alan DeKok.



More information about the Freeradius-Users mailing list