AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth.
That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD. What "hooks" are you talking about? The extensions for unix services? -- Chris Liles -----Original Message----- From: freeradius-users-bounces+chris.liles=air2web.com@lists.freeradius.org [mailto:freeradius-users-bounces+chris.liles=air2web.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, May 25, 2006 11:36 AM To: FreeRadius users mailing list Subject: Re: PEAP + AD "Chris Liles" <Chris.Liles@air2web.com> wrote:
But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes.
Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller.
In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :)
AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html