On 10/27/2011 10:32 PM, Matthew Arguin wrote:
Thanks Phil. question on that. in the deployment of ldap that we have in place the users password attribute is 'userPassword'. looking at the ldap attribute file and various online results, is the authentication looking for ntPassword for that ldap attribute as opposed to the
ntPassword only matters if you're doing MS-CHAP or PEAP/MSCHAP, where it or the plaintext password (or using samba/ntlm_auth) are required. For PEAP/GTC, all that matters is getting a compatible crypted password out of LDAP and into the right FreeRADIUS attribute. What type of passwords are you storing in your userPassword attribute? Many many schemes are possible e.g. # unlabelled unix crypt userPassword: xx1LtbDbOY4/E # unlabelled SHA/other userPassword: $6$xYC.0/CZo4LSBU # labelled userPassword: {md5}.... # plaintext userPassword: test By default, userPassword is mapped to the FreeRADIUS attribute Password-With-Header which assumes {label} prefixes, as this is most common. Also - are you *sure* the credentials you're using in the "ldap" module to query the directory have permissions to read the userPassword attribute?