Suggest the following patch for LDAP+EAP-TTLS+PAP+CRYPT

Juan C. Sanchez-DelBarrio carlos.sanchez at
Mon Nov 6 17:35:23 CET 2006

Hi Alan,

I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but
you need to have the LDAP User-Password in plain-text. Our security
requirement in the LDAP database is that the User-Password must be
ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP
permits us the authentication with CRYPT password. But, the problem is
that LDAP database includes hash header before password, {crypt}XXXXX.
How do you compare both passwords?????

	XXXX == {crypt}XXXX

I propose the next solution:


Other solution???


Alan DeKok wrote:
> "Juan C. Sanchez-DelBarrio" <carlos.sanchez at> wrote:
>> I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT
>> PASSWORD. This feature would permit us to cipher the plain password in
>> LDAP using CRYPT hash and compare the CRYPT hash of user password from
>> LDAP with PAP authentication (crypt).
>   Why?  The server already supports pulling the crypt'd password from
> LDAP, and comparing it to the users password via rlm_ldap.
>   Alan DeKok.
> --
>       - The web site of the book
> - The blog
> - 
> List info/subscribe/unsubscribe? See

Juan C. Sanchez-DelBarrio

More information about the Freeradius-Devel mailing list