Check LDAP password with SHA512

Will W. will at damagesinc.net
Thu Jan 28 09:06:08 CET 2016 

Ok, how do I change the order in which ldap and pap are called?

On Wed, Jan 27, 2016 at 2:13 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> > On Jan 27, 2016, at 5:08 PM, Arran Cudbard-Bell <
> a.cudbardb at freeradius.org> wrote:
> >
> >
> >> On Jan 27, 2016, at 4:36 PM, Will W. <will at damagesinc.net> wrote:
> >>
> >> Question
> >> With Start_TLS yes
> >> this is enabling the Freeradius to connect to the LDAP server over a
> TLS tunnel correct?
> >
> > Yes, the connection starts off as plaintext, then the ldap client
> requests to establish a TLS tunnel.
> >
> > Map looks OK.  You need to run ldapsearch with this invocation to see if
> the userPassword is being returned:
> >
> > ldapsearch -H ldap://ldap.myhost.com:389 —ZZ x -b
> "ou=Users,dc=myhost,dc=com" -D "uid=demouser,ou=Users,dc=myhost,dc=com" -w
> testing123 "(objectClass=posixGroup)" userPassword
>
> Here are the headers and what they map to:
>
> /*
>  *      For auto-header discovery.
>  *
>  *      @note Header comparison is case insensitive.
>  */
> static const FR_NAME_NUMBER header_names[] = {
>         { "{clear}",            PW_CLEARTEXT_PASSWORD },
>         { "{cleartext}",        PW_CLEARTEXT_PASSWORD },
>         { "{md5}",              PW_MD5_PASSWORD },
>         { "{base64_md5}",       PW_MD5_PASSWORD },
>         { "{smd5}",             PW_SMD5_PASSWORD },
>         { "{crypt}",            PW_CRYPT_PASSWORD },
> #ifdef HAVE_OPENSSL_EVP_H
>         /*
>          *      It'd make more sense for the headers to be
>          *      ssha2-* with SHA3 coming soon but we're at
>          *      the mercy of directory implementors.
>          */
>         { "{sha2}",             PW_SHA2_PASSWORD },
>         { "{sha224}",           PW_SHA2_PASSWORD },
>         { "{sha256}",           PW_SHA2_PASSWORD },
>         { "{sha384}",           PW_SHA2_PASSWORD },
>         { "{sha512}",           PW_SHA2_PASSWORD },
>         { "{ssha224}",          PW_SSHA2_224_PASSWORD },
>         { "{ssha256}",          PW_SSHA2_256_PASSWORD },
>         { "{ssha384}",          PW_SSHA2_384_PASSWORD },
>         { "{ssha512}",          PW_SSHA2_512_PASSWORD },
> #endif
>         { "{sha}",              PW_SHA_PASSWORD },
>         { "{ssha}",             PW_SSHA_PASSWORD },
>         { "{md4}",              PW_NT_PASSWORD },
>         { "{nt}",               PW_NT_PASSWORD },
>         { "{nthash}",           PW_NT_PASSWORD },
>         { "{x-nthash}",         PW_NT_PASSWORD },
>         { "{ns-mta-md5}",       PW_NS_MTA_MD5_PASSWORD },
>         { "{x- orcllmv}",       PW_LM_PASSWORD },
>         { "{X- orclntv}",       PW_NT_PASSWORD },
>         { NULL, 0 }
> };
>
> You need to call the pap module in authorize after the LDAP module in
> order to strip the header and perform the conversion.
>
> It also does a bunch of normalisation.  It could be you have the modules
> in the wrong order, pap then ldap when you need ldap then pap.
>
> -Arran
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list