CentOS OpenLDAP pwdReset Attribute

Th1am1dMonozoicK4runa Th1am1dMonozoicK4runa at protonmail.com
Tue Oct 26 14:43:49 CEST 2021

On Monday, October 25th, 2021 at 5:09 PM, Alan DeKok <aland at deployingradius.com> wrote:

> You can always run an LDAP query manually via "unlang" to check the status of the pwdReset field.

Thank you for the tip, I was leaning that way, but was curious what the recommended method would be.

> The recommendation against using "Auth-Type = LDAP" is that it only works for clear-text passwords. If the user tries CHAP / MS-CHAP / EAP, then "Auth-Type = LDAP" simply won't work.

And there's no way around this for users that have to have both LDAP and RADIUS, correct? Even though there are articles floating around out there about setting CHAP with LDAP: https://www.wogri.com/networking/freeradius-chap/

>Note also that there's no standard for doing password changes via RADIUS.  So the only thing you'll get by setting / checking pwdReset is that users won't be able to login via RADIUS.

Overall, we're just trying to implement the most secure/best practice setup to allow the LDAP users and RADIUS users to utilize the same company driven password policy. Looked like the only way to accomplish that, was to have RADIUS use LDAP as a password database.

Thanks for your time!

More information about the Freeradius-Users mailing list