Passwords for PEAP from AD-based LDAP
This may be on the fringes of the scope of this group, but any pointers would be appreciated. I am attempting to setup EAP-PEAP authentication via FreeRadius and a Windows-based LDAP backend. The users accounts are in AD. After making it past a number of obstacles, I am communicating with the LDAP server, but found that neither LM-Passwords nor NT-Passwords are loaded into the LDAP. "Clear-text" is NOT an option, and is not available either, anyway. This problem must have been encountered by others. Assuming that it can be done, how do you get the password information out of AD and into LDAP in an appropriate format? Yes, I could use ntlm_auth and probably get it working, but this is supposed to be LDAP-based, not SAMBA. The LDAP could move to a different environment. Use of standards is important to us. Thanks, Robert Toense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert E. Toense wrote:
I am attempting to setup EAP-PEAP authentication via FreeRadius and a Windows-based LDAP backend. The users accounts are in AD. After making it past a number of obstacles, I am communicating with the LDAP server, but found that neither LM-Passwords nor NT-Passwords are loaded into the LDAP. "Clear-text" is NOT an option, and is not available either, anyway. This problem must have been encountered by others. Assuming that it can be done, how do you get the password information out of AD and into LDAP in an appropriate format?
Yes, I could use ntlm_auth and probably get it working, but this is supposed to be LDAP-based, not SAMBA. The LDAP could move to a different environment. Use of standards is important to us.
PEAP uses MS-CHAPv2, which requires knowledge of some form of the clear-text password. LDAP does not give you clear-text password, therefore you must use ntlm_auth, it works well. - -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlkba9Y3/iTTCEDkRAoiFAKCIgcVFpTK+T5WrsQBUqR0OnPMv2wCgxYyX 0TeTG+F6jBU9mkq85HAPst4= =qKq7 -----END PGP SIGNATURE-----
Robert E. Toense wrote:
This may be on the fringes of the scope of this group, but any pointers would be appreciated.
I am attempting to setup EAP-PEAP authentication via FreeRadius and a Windows-based LDAP backend. The users accounts are in AD. After making it past a number of obstacles, I am communicating with the LDAP server, but found that neither LM-Passwords nor NT-Passwords are loaded into the LDAP. "Clear-text" is NOT an option, and is not available either,
Oh, they're in AD, but they're not available through LDAP. See: http://deployingradius.com/documents/configuration/active_directory.html
Yes, I could use ntlm_auth and probably get it working, but this is supposed to be LDAP-based, not SAMBA. The LDAP could move to a different environment. Use of standards is important to us.
1) Ask Microsoft to expose the password through LDAP. 2) Use Samba. 3) Use a real LDAP server. Those are your choices. Alan DeKok.
Alan DeKok said:
Robert E. Toense wrote:
Yes, I could use ntlm_auth and probably get it working, but this is supposed to be LDAP-based, not SAMBA. The LDAP could move to a different environment. Use of standards is important to us.
Robert ... unfortunately, Microsoft doesn't take standards as seriously as you or I do. When they say something is "standards based", what they actually mean is they cherry picked the parts they liked, tweaked other parts to make it work with Windows, and flat out made up the rest as they went along. Almost any "standards based" interoperability with Windows will require that you sacrifice some of your principles. In this case that sacrifice is ntlm-auth. Accept it into your life. Think it as the Yin to AD's LDAP Yang. If the feelings of violation don't get better over time, do what I do and scrub your hands until they bleed every time you start thinking about Microsoft too hard. Or, as Alan said:
1) Ask Microsoft to expose the password through LDAP.
LMAO!! Alan, good to see you've recovered your sense of humor. Things were getting way too serious for a while, there.
Alan DeKok.
-- hugh
participants (4)
-
Alan DeKok -
Hugh Messenger -
Martin Gadbois -
Robert E. Toense