free radius setup

John Dennis jdennis at redhat.com
Wed Sep 11 01:35:09 CEST 2013


On 09/10/2013 06:54 PM, Arran Cudbard-Bell wrote:
> On the registration page you use to 'activate' users accounts for the
> service, you get them to login. Once their password is verified
> against OpenLDAP you do an LDAP modify and store the plaintext
> version.  This is exactly what we did at University of Sussex when we
> rolled out the service six years ago.
> 
> We opted to store NT-Password hashes.  These are not really any more
> secure than cleartext, but at least you don't accidentally see the
> user's output in any directory dumps or debug output.

And be sure to set ACL's (Access Control Lists) on the password
attributes so that only the admin and the radius process can read them.

-- 
John


More information about the Freeradius-Users mailing list