LDAP ntPassword and lmPassword help
Hello, I have a LDAP server which contains ntPassword and lmPassword attributes like following: dn: uid=subs, ou=accounts, dc=test, dc=com uid: subs userPassword:: e01ENX03MmIwMTViNDhlOTU5ZTlkYWQ3MTAxNjNiYjJhZDkyMQ== mac: "" lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67 objectClass: objDevices objectClass: top FR 2.1.1 is configured for doing 802.1x authentication. While doing the authentication, I obviously get Invalid NT-Password and Invalid LM-Password error. The error stems from the fact that the length is incorrect because of the additional {ENC} prefix. Is there some configuration where I can set something so it ignores the initial {ENC} while doing the password comparison? I cannot get rid of the {ENC} prefix. Thanks, Padam -- PGP Id 9EED2E09
I have a LDAP server which contains ntPassword and lmPassword attributes like following:
dn: uid=subs, ou=accounts, dc=test, dc=com uid: subs userPassword:: e01ENX03MmIwMTViNDhlOTU5ZTlkYWQ3MTAxNjNiYjJhZDkyMQ== mac: "" lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67 objectClass: objDevices objectClass: top
FR 2.1.1 is configured for doing 802.1x authentication. While doing the authentication, I obviously get Invalid NT-Password and Invalid LM-Password error. The error stems from the fact that the length is incorrect because of the additional {ENC} prefix.
Is there some configuration where I can set something so it ignores the initial {ENC} while doing the password comparison?
I cannot get rid of the {ENC} prefix.
Rewrite NT-Password and LM-Password using unlang (or perl) after ldap in authorize. Ivan Kalik Kalik Informatika ISP
Padam J Singh wrote:
I have a LDAP server which contains ntPassword and lmPassword attributes like following: ... lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67
Ugh.
FR 2.1.1 is configured for doing 802.1x authentication. While doing the authentication, I obviously get Invalid NT-Password and Invalid LM-Password error. The error stems from the fact that the length is incorrect because of the additional {ENC} prefix.
Is there some configuration where I can set something so it ignores the initial {ENC} while doing the password comparison?
Edit raddb/dictionary. Add a new "string" attribute: ATTRIBUTE ENC-NT-Password string 3000 Edit raddb/ldap.attrmap. Delete the entries containing LM-Password. Edit raddb/ldap.attrmap. Find the entries containing NT-Password, and change them to ENC-NT-Password. Edit raddb/sites-available/default (I presume you're running a recent version of the server...) Look for the "authorize" section. In it, look for the "ldap" module. Change it to: authorize { ... ldap # leave this here # all of this goes on one line if (control:ENC-NT-Password && (control:ENC-NT-Password =~ /{ENC}(.*)/) { update control { NT-Password := "%{1}" } } ... } That should work. Alan DeKok.
participants (3)
-
Alan DeKok -
Padam J Singh -
tnt@kalik.net