Suggest the following patch for LDAP+EAP-TTLS+PAP+CRYPT
Hi all, I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT PASSWORD. This feature would permit us to cipher the plain password in LDAP using CRYPT hash and compare the CRYPT hash of user password from LDAP with PAP authentication (crypt). Best Regards, -- Juan C. Sanchez-DelBarrio Security Officer Barcelona Supercomputing Center http://www.bsc.es
Best Regards, =20 -----------------------------------------------------------------------=
diff -urN ./src/modules/rlm_ldap/rlm_ldap.c ../freeradius-1.1.3-crypt-l=
--- ./src/modules/rlm_ldap/rlm_ldap.c 2006-05-09 01:45:49.000000000 +02= 00 +++ ../freeradius-1.1.3-crypt-ldap/src/modules/rlm_ldap/rlm_ldap.c 2006= -07-18 16:24:42.734009032 +0200 @@ -2511,6 +2511,15 @@ DEBUG("rlm_ldap: Attribute %s has no value", element->attr); continue; } + =09 + if (value[0] =3D=3D '{' && !strcmp(element->attr, "userPassword"))= { + char *aux_value =3D strstr(value, "}"); + if (aux_value) {=09 + aux_value++; + value =3D aux_value;=09 + } + DEBUG("rlm_ldap: Delete {CRYPT} from attribute %s", element->attr= ); =09 + } =20 DEBUG("rlm_ldap: Adding LDAP attribute %s as RADIUS attribute %s %= s %s", element->attr, element->radius_attr, =20 -----------------------------------------------------------------------=
dap/src/modules/rlm_ldap/rlm_ldap.c -
-=20 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/dev=
el.html
"Juan C. Sanchez-DelBarrio" <carlos.sanchez@bsc.es> wrote:
I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT PASSWORD. This feature would permit us to cipher the plain password in LDAP using CRYPT hash and compare the CRYPT hash of user password from LDAP with PAP authentication (crypt).
Why? The server already supports pulling the crypt'd password from LDAP, and comparing it to the users password via rlm_ldap. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Alan, I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but you need to have the LDAP User-Password in plain-text. Our security requirement in the LDAP database is that the User-Password must be ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP permits us the authentication with CRYPT password. But, the problem is that LDAP database includes hash header before password, {crypt}XXXXX. How do you compare both passwords????? XXXX == {crypt}XXXX I propose the next solution: XXXX == XXXX Other solution??? Thanks! Alan DeKok wrote:
"Juan C. Sanchez-DelBarrio" <carlos.sanchez@bsc.es> wrote:
I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT PASSWORD. This feature would permit us to cipher the plain password in LDAP using CRYPT hash and compare the CRYPT hash of user password from LDAP with PAP authentication (crypt).
Why? The server already supports pulling the crypt'd password from LDAP, and comparing it to the users password via rlm_ldap.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Juan C. Sanchez-DelBarrio BSC-CNS http://www.bsc.es
Juan C. Sanchez-DelBarrio wrote:
Hi Alan,
I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but you need to have the LDAP User-Password in plain-text. Our security requirement in the LDAP database is that the User-Password must be ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP permits us the authentication with CRYPT password. But, the problem is that LDAP database includes hash header before password, {crypt}XXXXX. How do you compare both passwords?????
XXXX == {crypt}XXXX
I propose the next solution:
XXXX == XXXX
Other solution???
Thanks!
If you can't use rlm_ldap authentication, you could make the crypt hash of the passwords yourself, and store it in a normal "directory string" attribute in LDAP, then export it from rlm_ldap via the ldap.attrmap file. If you need to store the password as a proper password in LDAP, I would suggest removing the "{CRYPT}" prefix through some separate module (e.g. exec), and not in rlm_ldap.
Alan DeKok wrote:
"Juan C. Sanchez-DelBarrio" <carlos.sanchez@bsc.es> wrote:
I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT PASSWORD. This feature would permit us to cipher the plain password in LDAP using CRYPT hash and compare the CRYPT hash of user password from LDAP with PAP authentication (crypt).
Why? The server already supports pulling the crypt'd password from LDAP, and comparing it to the users password via rlm_ldap.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (3)
-
Alan DeKok -
Daniel Larsson -
Juan C. Sanchez-DelBarrio