Authentification link with PEAP + PAM + LDAP

Josh Howlett josh.howlett at bristol.ac.uk
Wed Jun 7 15:18:20 CEST 2006


On 7 Jun 2006, at 13:07, thomas hahusseau wrote:

> Hello,
>
> Finally my boss is not interested in an PEAP authentication due to
> password and login stocked in clear in the OpenLDAP database, and he
> doesn't want to use the ntlm_auth to ask a Active Directory Server.
>
> So I wonder if that kind of authentication is possible.

> PEAP(MsCHAP) request --> Freeradius server (extract the hashed
> password ) --> Authentication request sent to PAM (login + Hashed
> password ) via rlm_auth ---> OpenLDAP Server ( compare hashed password
> received with the one stocked in database )

You don't need to use PAM - in fact, I don't think its possible.  
Store your users' passwords in the NTLM hash, and authenticate  
directly from FreeRADIUS to LDAP.

josh.

> PAM is used as mediator to permit comparason with hashed stocked in  
> OpenLDAP.
>
> My boss only wants cipher/hashed password and login.
> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
> list/users.html

Josh Howlett, Networking Specialist, University of Bristol.
email: josh.howlett at bristol.ac.uk | phone: +44 (0)7867 907076 |  
interal: 7850






More information about the Freeradius-Users mailing list