FreeRADIUS and OpenLDAP
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jan 16 21:18:53 CET 2006
Michael Schwartzkopff wrote:
> Hi,
>
> If I use OpenLDAP to authorize / authenticate my users, what kinds of
> passwords can I store in LDAP?
That question is inverted. The Radius auth type defines what data you
*need* for that auth type, and thus what crypt you need to store.
PAP - needs plaintext, unix crypt, sha crypt, md5 crypt[1]
CHAP - needs plaintext
MS-CHAP - needs plaintext, nthash, lmhash[2]
EAP-PEAP with MS-CHAPv2 inner - as per MS-CHAP[2]
If you have the choice, storing "clear" gives you the most options
PROVIDED that the radius server has appropriate permissions to extract
that cleartext password and provide it to the auth type modules.
Howver, note
1. The LDAP module has the ability to provide authentication for PAP
requests and ONLY PAP by making an LDAP simple bind against the LDAP
server. In this case, the contents of the LDAP crypt are only relevant
to the LDAP server BUT you are limited to PAP.
2. MS-CHAP can also be provided by the "ntlm_auth" helper option of
the mschap module
>
> clear, crypt, SSHA, SMD5, MD5, SHA, NTHASH, LMHASH?
>
> Is this controlled by the password_header configuation or does this only strip
> the header of the password?
>
> Is there any difference if use the EAP module?
Yes, it is totally different. EAP negotiates mechanisms. Some of those
happen to be the same algorithms as non-EAP radius (e.g. MS-CHAP),
others happen to be 2-level mechanisms whose inner is the same algorithm
(e.g. EAP-PEAP + MS-CHAP inner, EAP-TTLS + PAP inner) but EAP itself
requires no secrets. The negotiated mechanisms do.
If you tell us what you're trying to do we may be able to be more helpful
More information about the Freeradius-Users
mailing list