Using encrypted passwords from LDAP
Alan DeKok
aland at deployingradius.com
Fri Aug 7 10:25:39 CEST 2009
Steffen Langhammer wrote:
> The LDAP-Server doesn't contain a clear-text password. They are
> encrypted and this isn't allowed to change.
hhttp://deployingradius.com/documents/protocols/compatibility.html
> The password field is "userPassword".
>
> I was testing my LDAP-Configuration in Freeradius with NTRadPing.
> If I make an authentication Request I get a response: Access_accept.
> I am happy that freeradius can speak to LDAP :-))
>
> Now my problem is:
> The wireless client is configured to LEAP, I enter the same user and
> password as in NTRadPing Utility. But I don't get access.
Your requirements are impossible to satisfy.
> I don't understand what I have done wrong.
> Maybee the eap-module is not able to forward the bind to the LDAP-Server ?
No. Read the page given by the URL above. What you want to do is
impossible.
> If i use LEAP and set the password_attribute to an cleartext field in
> ldap it works.
Exactly.
> I was setting as password_attribute the field to givenname and enter as
> passwort the givenname of user.
>
> If I use the LEAP mode on the client the login to WLAN works fine (by
> using cleartext)
> But I have to use the encrypted password in LDAP because of security
> reasons.
>
> What can I do ?
Read the last section of that web page.
Trying to do the impossible is an effort in futility. Change your
requirements to something that is possible to do.
My suggestion: don't do LEAP. It's insecure. Use another EAP method
such as TTLS.
Alan DeKok.
More information about the Freeradius-Users
mailing list