PEAP + AD
Chris Liles
Chris.Liles at air2web.com
Thu May 25 18:21:08 CEST 2006
> AD doesn't supply passwords through LDAP. That's why the server
>ships with support for ntlm_auth.
That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD.
What "hooks" are you talking about? The extensions for unix services?
--
Chris Liles
-----Original Message-----
From: freeradius-users-bounces+chris.liles=air2web.com at lists.freeradius.org [mailto:freeradius-users-bounces+chris.liles=air2web.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, May 25, 2006 11:36 AM
To: FreeRadius users mailing list
Subject: Re: PEAP + AD
"Chris Liles" <Chris.Liles at air2web.com> wrote:
> But I have also read about some guy successfully using OpenLDAP with
> PEAP because he stored the LM and NT password hashes in the ldap
> schema along with the clear text password. With AD I suppose you
> could extend the schema to store these as well, but you'd have to
> manually update them when a password changes.
Yes. There are hooks in AD to do just that, but the software
implementing the hooks has to be installed on every domain controller.
> In my attempts to use ldap with active directory for PEAP it
> wouldn't work, so I went samba. It works fine. Radiusd -X and the
> mailing list are your best friends. :)
AD doesn't supply passwords through LDAP. That's why the server
ships with support for ntlm_auth.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list