Using encrypted passwords from LDAP

Alan DeKok aland at
Fri Aug 7 10:25:39 CEST 2009

Steffen Langhammer wrote:
> The LDAP-Server doesn't contain a clear-text password. They are
> encrypted and this isn't allowed to change.


> The password field is "userPassword".
> I was testing my LDAP-Configuration in Freeradius with NTRadPing.
> If I make an authentication Request I get a response: Access_accept.
> I am happy that freeradius can speak to LDAP :-))
> Now my problem is:
> The wireless client is configured to LEAP, I enter the same user and
> password as in NTRadPing Utility. But I don't get access.

  Your requirements are impossible to satisfy.

> I don't understand what I have done wrong.
> Maybee the eap-module is not able to forward the bind to the LDAP-Server ?

  No.  Read the page given by the URL above.  What you want to do is

> If i use LEAP and set the password_attribute to an cleartext field in
> ldap it works.


> I was setting as password_attribute the field to givenname and enter as
> passwort the givenname of user.
> If I use the LEAP mode on the client the login to WLAN works fine (by
> using cleartext)
> But I have to use the encrypted password in LDAP because of security
> reasons.
> What can I do ?

  Read the last section of that web page.

  Trying to do the impossible is an effort in futility.  Change your
requirements to something that is possible to do.

  My suggestion: don't do LEAP.  It's insecure.  Use another EAP method
such as TTLS.

  Alan DeKok.

More information about the Freeradius-Users mailing list