Re: cisco WAP/FreeRadius/OpenLDAP
Thanks Phil. question on that. in the deployment of ldap that we have in place the users password attribute is 'userPassword'. looking at the ldap attribute file and various online results, is the authentication looking for ntPassword for that ldap attribute as opposed to the userPassword one that i have? i know that the user i am testing with has the password that is showing up, i am guessing that maybe i have it assigned in the wrong attribute or i need to change the ldap mapping file to use the attribute i have? -m On 10/27/2011 5:14 PM, freeradius-users-request@lists.freeradius.org wrote:
Re: cisco WAP/FreeRadius/OpenLDAP
-- Matthew Arguin Currensee, Inc. 54 Canal St, 4th Floor Boston, MA 02114 (617) 986-4758 (Office) _________________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system. © 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions. Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824
On Fri, Oct 28, 2011 at 4:32 AM, Matthew Arguin <matt.arguin@currensee.com> wrote:
Thanks Phil. question on that. in the deployment of ldap that we have in place the users password attribute is 'userPassword'. looking at the ldap attribute file and various online results, is the authentication looking for ntPassword for that ldap attribute as opposed to the userPassword one that i have?
Simple question: do you have eiter plain-text (i.e. unencrypted) password, or nt-hash password stored in your LDAP? If yes, it's simply a matter of picking the correct attribute (which is what ldap.atrrmap is for). If no (e.g. it's encrypted) do you know what encryption/hash it uses? Some password hash is supported by FR (e.g. unix crypt), while others (e.g. the one used by Lotus Domino) can't be used. -- Fajar
On 10/27/2011 10:32 PM, Matthew Arguin wrote:
Thanks Phil. question on that. in the deployment of ldap that we have in place the users password attribute is 'userPassword'. looking at the ldap attribute file and various online results, is the authentication looking for ntPassword for that ldap attribute as opposed to the
ntPassword only matters if you're doing MS-CHAP or PEAP/MSCHAP, where it or the plaintext password (or using samba/ntlm_auth) are required. For PEAP/GTC, all that matters is getting a compatible crypted password out of LDAP and into the right FreeRADIUS attribute. What type of passwords are you storing in your userPassword attribute? Many many schemes are possible e.g. # unlabelled unix crypt userPassword: xx1LtbDbOY4/E # unlabelled SHA/other userPassword: $6$xYC.0/CZo4LSBU # labelled userPassword: {md5}.... # plaintext userPassword: test By default, userPassword is mapped to the FreeRADIUS attribute Password-With-Header which assumes {label} prefixes, as this is most common. Also - are you *sure* the credentials you're using in the "ldap" module to query the directory have permissions to read the userPassword attribute?
participants (3)
-
Fajar A. Nugraha -
Matthew Arguin -
Phil Mayers