Hello, I have a freeradius server that i use to authenticate users before they access network switches. user passwords reside in an ldap directory with the following attributes and formats: userPassword: (CRYPT password) sambaNTPassword: (NT Hash) sambaLMPassword: (LM hash) PAP is choosing automaticaly the NT encryption to validate the password. Is there a way to force PAP to use the userPassword with the CRYPT encryption? PS: i have to keep sambaNTPassword and sambaLMPassword along with userPassword as check items for other use scenarii. i'll post the relevant part of my radius log file in case it helps, thank you. [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36." [ldap] sambaNtPassword -> NT-Password == 0x4539463933393235373938463136464345394639333932353739384631364642 [ldap] sambaLmPassword -> LM-Password == 0x4243333041323738464338383546424538393735438383546424538393735456 [ldap] userPassword -> User-Password == "{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36." [ldap] looking for reply items in directory... [ldap] user theUser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "thepassword" [pap] Using NT encryption. [pap] expand: %{User-Password} -> thepassword [pap] NT-Hash of thepassword = e9f93925798f16fc4c9f93925798f1 [pap] expand: %{mschap:NT-Hash %{User-Password}} -> e9f93925798f16fc4c9f93925798f1 [pap] User authenticated successfully
mic night wrote:
I have a freeradius server that i use to authenticate users before they access network switches. user passwords reside in an ldap directory with the following attributes and formats:
userPassword: (CRYPT password) sambaNTPassword: (NT Hash) sambaLMPassword: (LM hash)
PAP is choosing automaticaly the NT encryption to validate the password. Is there a way to force PAP to use the userPassword with the CRYPT encryption?
Why does it matter? You're asking how to implement a solution. That's wrong. Instead, talk about the problem. What *is* the problem? Alan DeKok.
Le 10/05/2011 16:50, Alan DeKok a écrit :
mic night wrote:
I have a freeradius server that i use to authenticate users before they access network switches. user passwords reside in an ldap directory with the following attributes and formats:
userPassword: (CRYPT password) sambaNTPassword: (NT Hash) sambaLMPassword: (LM hash)
PAP is choosing automaticaly the NT encryption to validate the password. Is there a way to force PAP to use the userPassword with the CRYPT encryption? Why does it matter?
You're asking how to implement a solution. That's wrong.
Instead, talk about the problem. What *is* the problem?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes , sorry i didn't expose the problem... Actualy, we have a problem generating the sambaNTPassword an sambaLMPassword and that's why i'm (temporary) trying to force PAP to use the userPassword attribute.
Thank you.
mic night wrote:
Yes , sorry i didn't expose the problem... Actualy, we have a problem generating the sambaNTPassword an sambaLMPassword and that's why i'm (temporary) trying to force PAP to use the userPassword attribute.
$ man unlang See "!*". You can delete attributes from the "control" list. So... delete the NT-Password attribute after it was added, and before it's used for authentication. Alan DeKok.
participants (2)
-
Alan DeKok -
mic night