cisco WAP/FreeRadius/OpenLDAP
Phil Mayers
p.mayers at imperial.ac.uk
Fri Oct 28 10:37:23 CEST 2011
On 10/27/2011 10:32 PM, Matthew Arguin wrote:
> Thanks Phil. question on that. in the deployment of ldap that we have
> in place the users password attribute is 'userPassword'. looking at the
> ldap attribute file and various online results, is the authentication
> looking for ntPassword for that ldap attribute as opposed to the
ntPassword only matters if you're doing MS-CHAP or PEAP/MSCHAP, where it
or the plaintext password (or using samba/ntlm_auth) are required.
For PEAP/GTC, all that matters is getting a compatible crypted password
out of LDAP and into the right FreeRADIUS attribute.
What type of passwords are you storing in your userPassword attribute?
Many many schemes are possible e.g.
# unlabelled unix crypt
userPassword: xx1LtbDbOY4/E
# unlabelled SHA/other
userPassword: $6$xYC.0/CZo4LSBU
# labelled
userPassword: {md5}....
# plaintext
userPassword: test
By default, userPassword is mapped to the FreeRADIUS attribute
Password-With-Header which assumes {label} prefixes, as this is most common.
Also - are you *sure* the credentials you're using in the "ldap" module
to query the directory have permissions to read the userPassword attribute?
More information about the Freeradius-Users
mailing list