SHA1 password, ldap authentication.

Ivan Kalik tnt at kalik.net
Wed Apr 9 12:01:49 CEST 2008


If you want to store sha encrypted passwords you restrict yourself to
(EAP-TTLS) PAP. You can't do EAP-MD5 with them or use ldap "bind as
user" for anything that's not a PAP (cleartext) request. So, the
advice you were given still stands.

http://deployingradius.com/documents/protocols/compatibility.html

http://deployingradius.com/documents/protocols/oracles.html

Ivan Kalik
Kalik Informatika ISP

Dana 9/4/2008, "antoine vallée" <antoinevalle at hotmail.com> piše:

>
>HI,
>
>Does anybody knows if ldap can make the authentication by itslef instead of radius? because my password a stored in sha in the ldap database, and i really nead to do md5. Certs can't bu used because it needs a PKI and it's not possible as well  as eap-ttls because it requires securew2 (there's no eap-ttls module natively in windows) and we can't forced visitors to install a software in order to have access to some local ressources.
>So the only solution is eap-md5...
>I've heard something about ldap, that maybe it's possible to give the cleartext password to the ldap, then the ldap will find the shapassword and return to the radius server a message for the authentication.
>Is this possible? If so, how can I do that?
>Because last time, i've been told that the only solution to do login/pwd authentication was eap-ttls+securew2 (for xp) or to store my password in cleartext in the ldap database.. but they're both inapropriate.
>
>any ideas on the subject?
>
>Thanks,
>
>Antoine.
>
>
>_________________________________________________________________
>Découvrez les profils Messenger de vos amis !
>http://home.services.spaces.live.com/
>




More information about the Freeradius-Users mailing list