W dniu 26.10.2021 o 14:43, Th1am1dMonozoicK4runa via Freeradius-Users pisze:
On Monday, October 25th, 2021 at 5:09 PM, Alan DeKok <aland@deployingradius.com> wrote:
You can always run an LDAP query manually via "unlang" to check the status of the pwdReset field.
Thank you for the tip, I was leaning that way, but was curious what the recommended method would be.
The recommendation against using "Auth-Type = LDAP" is that it only works for clear-text passwords. If the user tries CHAP / MS-CHAP / EAP, then "Auth-Type = LDAP" simply won't work.
And there's no way around this for users that have to have both LDAP and RADIUS, correct? Even though there are articles floating around out there about setting CHAP with LDAP: https://www.wogri.com/networking/freeradius-chap/
For better GDPR compliance and security I'd like to recommend using NT-Password for authentication (sambaNTPassword in LDAP). These passwords stored as NThashes are fully compliant with MSCHAP authentication, but you have to store them in LDAP (or even database), so you have to store and chage both: SHA hashed userPassword and NT hashed sambaNTPassword for each user. The drawback is that such a solution requires 3rd party password updating tool for LDAP.
Note also that there's no standard for doing password changes via RADIUS. So the only thing you'll get by setting / checking pwdReset is that users won't be able to login via RADIUS.
Overall, we're just trying to implement the most secure/best practice setup to allow the LDAP users and RADIUS users to utilize the same company driven password policy. Looked like the only way to accomplish that, was to have RADIUS use LDAP as a password database.
Thanks for your time!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Marek Zarychta