AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth.
That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD. What "hooks" are you talking about? The extensions for unix services? -- Chris Liles -----Original Message----- From: freeradius-users-bounces+chris.liles=air2web.com@lists.freeradius.org [mailto:freeradius-users-bounces+chris.liles=air2web.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, May 25, 2006 11:36 AM To: FreeRadius users mailing list Subject: Re: PEAP + AD "Chris Liles" <Chris.Liles@air2web.com> wrote:
But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes.
Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller.
In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :)
AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Chris Liles" <Chris.Liles@air2web.com> wrote:
What "hooks" are you talking about? The extensions for unix services?
No. There are API's in Windows to catch password changes, and pass them through your own code. That code can then *also* write the password to a different part of the AD schema. For this to work, it requires: - someone to understand & write the code - the code to run on *every* member of an AD forest - the AD schema to be updated to include the new ntpassword attribute - AD ACL's put in place to limit access to that attribute to FreeRADIUS - FreeRADIUS to be configured to look for that attribute. It shouldn't be hard, but convincing admins to change their AD schema, and run third-party code on their DC's is often hard. Alan DeKok.
participants (2)
-
Alan DeKok -
Chris Liles