Suggest the following patch for LDAP+EAP-TTLS+PAP+CRYPT
Juan C. Sanchez-DelBarrio
carlos.sanchez at bsc.es
Mon Nov 6 17:35:23 CET 2006
Hi Alan,
I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but
you need to have the LDAP User-Password in plain-text. Our security
requirement in the LDAP database is that the User-Password must be
ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP
permits us the authentication with CRYPT password. But, the problem is
that LDAP database includes hash header before password, {crypt}XXXXX.
How do you compare both passwords?????
XXXX == {crypt}XXXX
I propose the next solution:
XXXX == XXXX
Other solution???
Thanks!
Alan DeKok wrote:
> "Juan C. Sanchez-DelBarrio" <carlos.sanchez at bsc.es> wrote:
>> I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT
>> PASSWORD. This feature would permit us to cipher the plain password in
>> LDAP using CRYPT hash and compare the CRYPT hash of user password from
>> LDAP with PAP authentication (crypt).
>
> Why? The server already supports pulling the crypt'd password from
> LDAP, and comparing it to the users password via rlm_ldap.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
--
Juan C. Sanchez-DelBarrio
BSC-CNS
http://www.bsc.es
More information about the Freeradius-Devel
mailing list