On Tue, Dec 30, 2014 at 5:44 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 30, 2014, at 10:28 AM, sb <superabx@gmail.com> wrote:
Yes, but how to prevent it? I have nothing about User-Password in freeradius configs:
Try version 2.2.6. The PAP module has been updated to do a better job of discovering which password is where.
Thank you, Alan! I will try to upgrade to 2.2.6.
And you probably want to double-check the *format* of the passwords. You seem to have put the hashed version of the password into the userPassword field. Then, taken that, turned it into hex, and put that into the ntPassword field in LDAP. That’s wrong.
Actually we have no userPassword field in LDAP, the string checkitem Password-With-Header userPassword should be there from default config. I've commented it out, but got the same. All that we have in LDAP: sambaLMPassword: B4****************************************C6 sambaNTPassword: 1D****************************************9B mapped to: checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword
The userPassword field in LDAP should contain the clear-text password. e.g. “hello”, or “password”. The ntPassword field in LDAP should contain the hex version of NT hashed password. e.g. 01abcdef… OR, the userPassword field in LDAP should contain "{nt}01abcdef…” The {nt} prefix says that the rest of the password is the NT hash.
Possible I have to add {nt} prefix before the password? "checkItem User-Password {nt}sambaNtPassword" - that won't work?