Check LDAP password with SHA512
David Lord
d.lord at its.uq.edu.au
Thu Jan 28 09:29:24 CET 2016
Apologies, I was a bit quick on the retort there.
Please disregard.
> On 28 Jan 2016, at 6:25 PM, David Lord <d.lord at its.uq.edu.au> wrote:
>
> Which of these looks right?
>
> authenticate {
> pap
> ldap
> }
>
> authenticate {
> ldap
> pap
> }
>
>> On 28 Jan 2016, at 6:06 PM, Will W. <will at damagesinc.net> wrote:
>>
>> Ok, how do I change the order in which ldap and pap are called?
>>
>> On Wed, Jan 27, 2016 at 2:13 PM, Arran Cudbard-Bell <
>> a.cudbardb at freeradius.org> wrote:
>>
>>>
>>>> On Jan 27, 2016, at 5:08 PM, Arran Cudbard-Bell <
>>> a.cudbardb at freeradius.org> wrote:
>>>>
>>>>
>>>>> On Jan 27, 2016, at 4:36 PM, Will W. <will at damagesinc.net> wrote:
>>>>>
>>>>> Question
>>>>> With Start_TLS yes
>>>>> this is enabling the Freeradius to connect to the LDAP server over a
>>> TLS tunnel correct?
>>>>
>>>> Yes, the connection starts off as plaintext, then the ldap client
>>> requests to establish a TLS tunnel.
>>>>
>>>> Map looks OK. You need to run ldapsearch with this invocation to see if
>>> the userPassword is being returned:
>>>>
>>>> ldapsearch -H ldap://ldap.myhost.com:389 —ZZ x -b
>>> "ou=Users,dc=myhost,dc=com" -D "uid=demouser,ou=Users,dc=myhost,dc=com" -w
>>> testing123 "(objectClass=posixGroup)" userPassword
>>>
>>> Here are the headers and what they map to:
>>>
>>> /*
>>> * For auto-header discovery.
>>> *
>>> * @note Header comparison is case insensitive.
>>> */
>>> static const FR_NAME_NUMBER header_names[] = {
>>> { "{clear}", PW_CLEARTEXT_PASSWORD },
>>> { "{cleartext}", PW_CLEARTEXT_PASSWORD },
>>> { "{md5}", PW_MD5_PASSWORD },
>>> { "{base64_md5}", PW_MD5_PASSWORD },
>>> { "{smd5}", PW_SMD5_PASSWORD },
>>> { "{crypt}", PW_CRYPT_PASSWORD },
>>> #ifdef HAVE_OPENSSL_EVP_H
>>> /*
>>> * It'd make more sense for the headers to be
>>> * ssha2-* with SHA3 coming soon but we're at
>>> * the mercy of directory implementors.
>>> */
>>> { "{sha2}", PW_SHA2_PASSWORD },
>>> { "{sha224}", PW_SHA2_PASSWORD },
>>> { "{sha256}", PW_SHA2_PASSWORD },
>>> { "{sha384}", PW_SHA2_PASSWORD },
>>> { "{sha512}", PW_SHA2_PASSWORD },
>>> { "{ssha224}", PW_SSHA2_224_PASSWORD },
>>> { "{ssha256}", PW_SSHA2_256_PASSWORD },
>>> { "{ssha384}", PW_SSHA2_384_PASSWORD },
>>> { "{ssha512}", PW_SSHA2_512_PASSWORD },
>>> #endif
>>> { "{sha}", PW_SHA_PASSWORD },
>>> { "{ssha}", PW_SSHA_PASSWORD },
>>> { "{md4}", PW_NT_PASSWORD },
>>> { "{nt}", PW_NT_PASSWORD },
>>> { "{nthash}", PW_NT_PASSWORD },
>>> { "{x-nthash}", PW_NT_PASSWORD },
>>> { "{ns-mta-md5}", PW_NS_MTA_MD5_PASSWORD },
>>> { "{x- orcllmv}", PW_LM_PASSWORD },
>>> { "{X- orclntv}", PW_NT_PASSWORD },
>>> { NULL, 0 }
>>> };
>>>
>>> You need to call the pap module in authorize after the LDAP module in
>>> order to strip the header and perform the conversion.
>>>
>>> It also does a bunch of normalisation. It could be you have the modules
>>> in the wrong order, pap then ldap when you need ldap then pap.
>>>
>>> -Arran
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list