Padam J Singh wrote:
I have a LDAP server which contains ntPassword and lmPassword attributes like following: ... lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67
Ugh.
FR 2.1.1 is configured for doing 802.1x authentication. While doing the authentication, I obviously get Invalid NT-Password and Invalid LM-Password error. The error stems from the fact that the length is incorrect because of the additional {ENC} prefix.
Is there some configuration where I can set something so it ignores the initial {ENC} while doing the password comparison?
Edit raddb/dictionary. Add a new "string" attribute: ATTRIBUTE ENC-NT-Password string 3000 Edit raddb/ldap.attrmap. Delete the entries containing LM-Password. Edit raddb/ldap.attrmap. Find the entries containing NT-Password, and change them to ENC-NT-Password. Edit raddb/sites-available/default (I presume you're running a recent version of the server...) Look for the "authorize" section. In it, look for the "ldap" module. Change it to: authorize { ... ldap # leave this here # all of this goes on one line if (control:ENC-NT-Password && (control:ENC-NT-Password =~ /{ENC}(.*)/) { update control { NT-Password := "%{1}" } } ... } That should work. Alan DeKok.