CentOS OpenLDAP pwdReset Attribute

Alan DeKok aland at deployingradius.com
Tue Oct 26 19:09:26 CEST 2021

On Oct 26, 2021, at 12:51 PM, Marek Zarychta <zarychtam at plan-b.pwste.edu.pl> wrote:adius-chap/
> For better GDPR compliance and security I'd like to recommend using
> NT-Password for authentication (sambaNTPassword in LDAP).

  All 8-character NT hashes can be cracked fairly quickly:


> These
> passwords stored as NThashes are fully compliant with MSCHAP
> authentication, but you have to store them in LDAP (or even database),
> so you have to store and chage both: SHA hashed userPassword and NT
> hashed sambaNTPassword for each user. The drawback is that such a
> solution requires 3rd party password updating tool for LDAP.

  My choice would be (in order)

* use whatever is mandated by your DB, because you don't have a choice
  e.g. NT hashes for Active Directory

* some crypt'd / salted format.  Whatever it is doesn't matter, so long as it's relatively recent

* clear-text passwords

  If you're not using AD, then NT hashes are *slightly* better than clear-text passwords.  But any additional security is little more than an illusion.  If someone gets access to the password DB, then NT hashes are entirely equivalent to clear-text passwords.  Anyone with $ to spare can crack the passwords pretty quickly.

  Alan DeKok.

More information about the Freeradius-Users mailing list