LDAP ntPassword and lmPassword help
Alan DeKok
aland at deployingradius.com
Fri Mar 20 07:24:11 CET 2009
Padam J Singh wrote:
> I have a LDAP server which contains ntPassword and lmPassword attributes
> like following:
...
> lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE
> ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67
Ugh.
> FR 2.1.1 is configured for doing 802.1x authentication. While doing the
> authentication, I obviously get Invalid NT-Password and Invalid
> LM-Password error. The error stems from the fact that the length is
> incorrect because of the additional {ENC} prefix.
>
> Is there some configuration where I can set something so it ignores the
> initial {ENC} while doing the password comparison?
Edit raddb/dictionary. Add a new "string" attribute:
ATTRIBUTE ENC-NT-Password string 3000
Edit raddb/ldap.attrmap. Delete the entries containing LM-Password.
Edit raddb/ldap.attrmap. Find the entries containing NT-Password, and
change them to ENC-NT-Password.
Edit raddb/sites-available/default (I presume you're running a recent
version of the server...) Look for the "authorize" section. In it,
look for the "ldap" module. Change it to:
authorize {
...
ldap # leave this here
# all of this goes on one line
if (control:ENC-NT-Password && (control:ENC-NT-Password =~ /{ENC}(.*)/) {
update control {
NT-Password := "%{1}"
}
}
...
}
That should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list