Check LDAP password with SHA512

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jan 27 23:13:41 CET 2016


> On Jan 27, 2016, at 5:08 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> 
> 
>> On Jan 27, 2016, at 4:36 PM, Will W. <will at damagesinc.net> wrote:
>> 
>> Question
>> With Start_TLS yes
>> this is enabling the Freeradius to connect to the LDAP server over a TLS tunnel correct?
> 
> Yes, the connection starts off as plaintext, then the ldap client requests to establish a TLS tunnel.
> 
> Map looks OK.  You need to run ldapsearch with this invocation to see if the userPassword is being returned:
> 
> ldapsearch -H ldap://ldap.myhost.com:389 —ZZ x -b "ou=Users,dc=myhost,dc=com" -D "uid=demouser,ou=Users,dc=myhost,dc=com" -w testing123 "(objectClass=posixGroup)" userPassword

Here are the headers and what they map to:

/*
 *	For auto-header discovery.
 *
 *	@note Header comparison is case insensitive.
 */
static const FR_NAME_NUMBER header_names[] = {
	{ "{clear}",		PW_CLEARTEXT_PASSWORD },
	{ "{cleartext}",	PW_CLEARTEXT_PASSWORD },
	{ "{md5}",		PW_MD5_PASSWORD },
	{ "{base64_md5}",	PW_MD5_PASSWORD },
	{ "{smd5}",		PW_SMD5_PASSWORD },
	{ "{crypt}",		PW_CRYPT_PASSWORD },
#ifdef HAVE_OPENSSL_EVP_H
	/*
	 *	It'd make more sense for the headers to be
	 *	ssha2-* with SHA3 coming soon but we're at
	 *	the mercy of directory implementors.
	 */
	{ "{sha2}",		PW_SHA2_PASSWORD },
	{ "{sha224}",		PW_SHA2_PASSWORD },
	{ "{sha256}",		PW_SHA2_PASSWORD },
	{ "{sha384}",		PW_SHA2_PASSWORD },
	{ "{sha512}",		PW_SHA2_PASSWORD },
	{ "{ssha224}",		PW_SSHA2_224_PASSWORD },
	{ "{ssha256}",		PW_SSHA2_256_PASSWORD },
	{ "{ssha384}",		PW_SSHA2_384_PASSWORD },
	{ "{ssha512}",		PW_SSHA2_512_PASSWORD },
#endif
	{ "{sha}",		PW_SHA_PASSWORD },
	{ "{ssha}",		PW_SSHA_PASSWORD },
	{ "{md4}",		PW_NT_PASSWORD },
	{ "{nt}",		PW_NT_PASSWORD },
	{ "{nthash}",		PW_NT_PASSWORD },
	{ "{x-nthash}",		PW_NT_PASSWORD },
	{ "{ns-mta-md5}",	PW_NS_MTA_MD5_PASSWORD },
	{ "{x- orcllmv}",	PW_LM_PASSWORD },
	{ "{X- orclntv}",	PW_NT_PASSWORD },
	{ NULL, 0 }
};

You need to call the pap module in authorize after the LDAP module in order to strip the header and perform the conversion.

It also does a bunch of normalisation.  It could be you have the modules in the wrong order, pap then ldap when you need ldap then pap.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160127/f298670e/attachment.sig>


More information about the Freeradius-Users mailing list