PAP and NT-hashed password

Alan DeKok aland at
Tue Dec 30 16:44:10 CET 2014

On Dec 30, 2014, at 10:28 AM, sb <superabx at> wrote:
> Yes, but how to prevent it? I have nothing about User-Password in freeradius configs:

  Try version 2.2.6.  The PAP module has been updated to do a better job of discovering which password is where.

  And you probably want to double-check the *format* of the passwords.  You seem to have put the hashed version of the password into the userPassword field.  Then, taken that, turned it into hex, and put that into the ntPassword field in LDAP.  That’s wrong.

  The userPassword field in LDAP should contain the clear-text password.  e.g. “hello”, or “password”.  The ntPassword field in LDAP should contain the hex version of NT hashed password.  e.g. 01abcdef…  OR, the userPassword field in LDAP should contain "{nt}01abcdef…”  The {nt} prefix says that the rest of the password is the NT hash.

  Alan DeKok.

More information about the Freeradius-Users mailing list