auth to LDAP via two mechanisms
Phil Mayers
p.mayers at imperial.ac.uk
Mon Aug 21 13:47:35 CEST 2006
Rob Shepherd wrote:
>
> No clear-text is stored in LDAP. I have MD5 in userPassword and the two
> samba hashes.
> The cisco kit, VPN concentrator and switches etc, supply a clear text
> password at radius. I figured my only option was to PAP-to-LDAP.
>
> Is there an alternative for this situation?
Use an instance of the "pap" module with "encryption_scheme = nt"
modules {
pap nthashpap {
encryption_scheme = nt
}
}
authorize {
preprocess
files
}
authenticate {
Auth-Type PAP {
nthashpap
}
}
...however, you will need:
DEFAULT Auth-Type := PAP
...somewhere, since the PAP module in 1.1.0 (and I think all non-CVS
versions?) does not (irritatingly) set Auth-Type to PAP, and cannot even
run in the authorize section.
Newer versions of the server (CVS) will both auto-detect "{type}hash"
type prefixes in values *and* set the auth-type so you can just do:
modules {
pap {
auto_header = yes
}
}
authorize {
preprocess
pap
ldap
}
authenticate {
Auth-Type PAP {
pap
}
}
More information about the Freeradius-Users
mailing list