On Wed, Mar 7, 2012 at 1:53 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Wed, Mar 7, 2012 at 12:32 AM, Stefano Zanmarchi <zanmarchi@gmail.com> wrote:
Hi, my aim is to to have eap-ttls/pap working using an openldap user database with MD5 hashed passwords. I got it working configuring ldap parameters in /etc/raddb/modules/ldap and applying two changes in /etc/raddb/sites-available/inner-tunnel: 1) uncommented "ldap" in the authorize section 2) uncommented these lines in the authenticate section: Auth-Type LDAP { ldap } Am I doing it right?
The documentation advised against that.
Instead, you should find out which LDAP attribute stores your MD5-password, add the correct mapping to ldap.attrmap, and leave Auth-Type section commented-out.
It shouldn't affect the result though, since you don't have cleartext-password stored in LDAP.
I should've said "It shouldn't affect the result FOR YOU, since you don't have cleartext-password stored in LDAP, and only have MD5 hash". If you have NT-hash version of the password stored instead, then the choice of forcing auth-type or not means the difference between being able to use (EAP-)MSCHAPv2 or not. -- Fajar