Passwords for PEAP from AD-based LDAP
Martin Gadbois
martin.gadbois at colubris.com
Thu Jul 12 17:20:59 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert E. Toense wrote:
> I am attempting to setup EAP-PEAP authentication via FreeRadius and a
> Windows-based LDAP backend. The users accounts are in AD. After making
> it past a number of obstacles, I am communicating with the LDAP server,
> but found that neither LM-Passwords nor NT-Passwords are loaded into the
> LDAP. "Clear-text" is NOT an option, and is not available either,
> anyway. This problem must have been encountered by others. Assuming
> that it can be done, how do you get the password information out of AD
> and into LDAP in an appropriate format?
>
> Yes, I could use ntlm_auth and probably get it working, but this is
> supposed to be LDAP-based, not SAMBA. The LDAP could move to a
> different environment. Use of standards is important to us.
PEAP uses MS-CHAPv2, which requires knowledge of some form of the
clear-text password. LDAP does not give you clear-text password,
therefore you must use ntlm_auth, it works well.
- --
============== +---------------------------------------------+
Martin Gadbois | "Please answer by yes or no. |
Sr. SW Designer | Uncooperative user waste precious CPU time" |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGlkba9Y3/iTTCEDkRAoiFAKCIgcVFpTK+T5WrsQBUqR0OnPMv2wCgxYyX
0TeTG+F6jBU9mkq85HAPst4=
=qKq7
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list