CentOS OpenLDAP pwdReset Attribute
Marek Zarychta
zarychtam at plan-b.pwste.edu.pl
Tue Oct 26 18:51:06 CEST 2021
W dniu 26.10.2021 o 14:43, Th1am1dMonozoicK4runa via Freeradius-Users pisze:
> On Monday, October 25th, 2021 at 5:09 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
>> You can always run an LDAP query manually via "unlang" to check the status of the pwdReset field.
>
> Thank you for the tip, I was leaning that way, but was curious what the recommended method would be.
>
>
>> The recommendation against using "Auth-Type = LDAP" is that it only works for clear-text passwords. If the user tries CHAP / MS-CHAP / EAP, then "Auth-Type = LDAP" simply won't work.
>
> And there's no way around this for users that have to have both LDAP and RADIUS, correct? Even though there are articles floating around out there about setting CHAP with LDAP: https://www.wogri.com/networking/freeradius-chap/
For better GDPR compliance and security I'd like to recommend using
NT-Password for authentication (sambaNTPassword in LDAP). These
passwords stored as NThashes are fully compliant with MSCHAP
authentication, but you have to store them in LDAP (or even database),
so you have to store and chage both: SHA hashed userPassword and NT
hashed sambaNTPassword for each user. The drawback is that such a
solution requires 3rd party password updating tool for LDAP.
>
>
>> Note also that there's no standard for doing password changes via RADIUS. So the only thing you'll get by setting / checking pwdReset is that users won't be able to login via RADIUS.
>
> Overall, we're just trying to implement the most secure/best practice setup to allow the LDAP users and RADIUS users to utilize the same company driven password policy. Looked like the only way to accomplish that, was to have RADIUS use LDAP as a password database.
>
>
> Thanks for your time!
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20211026/5a2ce8e0/attachment.sig>
More information about the Freeradius-Users
mailing list