Suggest the following patch for LDAP+EAP-TTLS+PAP+CRYPT

Daniel Larsson daniel.larsson at
Mon Nov 6 19:32:47 CET 2006

Juan C. Sanchez-DelBarrio wrote:
> Hi Alan,
> I agree with you. Before using EAP-TTLS with PAP, we used MD5 cipher but
> you need to have the LDAP User-Password in plain-text. Our security
> requirement in the LDAP database is that the User-Password must be
> ciphered (CRYPT). We found a good solution using EAP-TTLS with PAP. PAP
> permits us the authentication with CRYPT password. But, the problem is
> that LDAP database includes hash header before password, {crypt}XXXXX.
> How do you compare both passwords?????
> 	XXXX == {crypt}XXXX
> I propose the next solution:
> Other solution???
> Thanks!
If you can't use rlm_ldap authentication, you could make the crypt hash
of the passwords yourself, and store it in a normal "directory string"
attribute in LDAP, then export it from rlm_ldap via the ldap.attrmap
file. If you need to store the password as a proper password in LDAP, I
would suggest removing the "{CRYPT}" prefix through some separate module
(e.g. exec), and not in rlm_ldap.
> Alan DeKok wrote:
>> "Juan C. Sanchez-DelBarrio" <carlos.sanchez at> wrote:
>>> I propose the following patch to use EAP-TTLS+PAP+LDAP with CRYPT
>>> PASSWORD. This feature would permit us to cipher the plain password in
>>> LDAP using CRYPT hash and compare the CRYPT hash of user password from
>>> LDAP with PAP authentication (crypt).
>>   Why?  The server already supports pulling the crypt'd password from
>> LDAP, and comparing it to the users password via rlm_ldap.
>>   Alan DeKok.
>> --
>>       - The web site of the book
>> - The blog
>> - 
>> List info/subscribe/unsubscribe? See

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Devel mailing list