EAP-TTLS/PAP with OpenLDAP user store
Fajar A. Nugraha
list at fajar.net
Tue Mar 6 20:00:18 CET 2012
On Wed, Mar 7, 2012 at 1:53 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Wed, Mar 7, 2012 at 12:32 AM, Stefano Zanmarchi <zanmarchi at gmail.com> wrote:
>> Hi,
>> my aim is to to have eap-ttls/pap working using an openldap user
>> database with MD5
>> hashed passwords. I got it working configuring ldap parameters in
>> /etc/raddb/modules/ldap
>> and applying two changes in /etc/raddb/sites-available/inner-tunnel:
>> 1) uncommented "ldap" in the authorize section
>> 2) uncommented these lines in the authenticate section:
>> Auth-Type LDAP {
>> ldap
>> }
>> Am I doing it right?
>
> The documentation advised against that.
>
> Instead, you should find out which LDAP attribute stores your
> MD5-password, add the correct mapping to ldap.attrmap, and leave
> Auth-Type section commented-out.
>
> It shouldn't affect the result though, since you don't have
> cleartext-password stored in LDAP.
I should've said "It shouldn't affect the result FOR YOU, since you
don't have cleartext-password stored in LDAP, and only have MD5 hash".
If you have NT-hash version of the password stored instead, then the
choice of forcing auth-type or not means the difference between being
able to use (EAP-)MSCHAPv2 or not.
--
Fajar
More information about the Freeradius-Users
mailing list