Force PAP to use unix password instead of windows
Hello, I have freeradius authenticating users with a ldap backend. In my ldap configuration I have: update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control:LM-Password := 'sambaLMPassword' ... } in the site configuration I have: authorize { files ldap pap } authenticate { Auth-Type PAP { pap } } With this configuration, I think that all authentications are done using the password in windows format (the one I have in sambaNTPassword and sambaLMPassword ldap attributes) instead of the "standard" unix password stored in the userPassword attribute. Is there any way to force the use the password in the userPassword attribute instead of NT/LM one? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
I have freeradius authenticating users with a ldap backend. In my ldap configuration I have:
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control:LM-Password := 'sambaLMPassword' ... } [snip] Is there any way to force the use the password in the userPassword attribute instead of NT/LM one?
Disable the two lines for the 'samba??Password' entries? Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Networkshop44, University of Manchester. Save the date: 22-24 March, 2016. #NWS44 Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On 16 Mar 2016, at 10:27, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
I have freeradius authenticating users with a ldap backend. In my ldap configuration I have:
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control:LM-Password := 'sambaLMPassword' ... } [snip] Is there any way to force the use the password in the userPassword attribute instead of NT/LM one?
Disable the two lines for the 'samba??Password' entries?
Or if only some LDAP entries have a cleartext password: if (&control:Password-With-Header) { update control { control:NT-Password !* ANY control:LM-Password !* ANY } } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
El 16/03/16 a las 11:27, Stefan Paetow escribió:
I have freeradius authenticating users with a ldap backend. In my ldap configuration I have:
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' control:LM-Password := 'sambaLMPassword' ... } [snip] Is there any way to force the use the password in the userPassword attribute instead of NT/LM one?
Disable the two lines for the 'samba??Password' entries?
I can't disable them because I need the for eduroam auth. I want that other sites different than eduroam use unix password instead of windows one, without creating a specific ldap module for them. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
Disable the two lines for the 'samba??Password' entries?
I can't disable them because I need the for eduroam auth. I want that other sites different than eduroam use unix password instead of windows one, without creating a specific ldap module for them.
Ahhhh... In that case, you might want to do some unlang in the authorize section after ldap has been called... I assume that you have some way of distinguishing when you want to use the Unix password and when not. Use that distinction in an if...then...else unlang statement to either erase the two control attributes for the NT auth, or to skip calling mschap (which does the NTLM auth) in the authorize section. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Networkshop44, University of Manchester. Save the date: 22-24 March, 2016. #NWS44 Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
El 17/03/16 a las 10:55, Stefan Paetow escribió:
I assume that you have some way of distinguishing when you want to use the Unix password and when not. Use that distinction in an if...then...else unlang statement to either erase the two control attributes for the NT
I did this way.
auth, or to skip calling mschap (which does the NTLM auth) in the authorize section.
I don't use mschap in other sites than eduroam, but windows password it is used without it. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
participants (3)
-
Angel L. Mateo -
Arran Cudbard-Bell -
Stefan Paetow