On Tue, Dec 30, 2014 at 1:09 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Dec 30, 2014 at 4:46 PM, sb <superabx@gmail.com> wrote:
> Hello!
>
> I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol.
> Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do
> it.
>
> When I do
>
> radtest -t pap ....
>
> I see from freeradius -X:
>
> [pap] login attempt with password "n*******W"
> [pap] Using clear text password "1D******************************9B"

Did you assign the hash as cleartext-password?


No, in ldap.attrmap I have:

checkItem    NT-Password            sambaNtPassword

I've tried to add

checkItem    User-Password        sambaNtPassword

But it makes no difference. So now there is no User-Password and no Cleartext-Password in attributes.

 

> [pap] Passwords don't match

If yes, no wonder it doesn't work

> So the question is: how to force PAP to create NT-hash from the given
> password and compare hash and hash. but not the password and hash?


It should work out of the box:
http://deployingradius.com/documents/protocols/compatibility.html


Thank you, I will try.

 
That is, assuming you correctly assign the hash as NT-Password, and
not Cleartext-Password.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html