Here's the situation:
We have a working configuration that is setup as EAP-LEAP and LDAP where the NT hash is stored in the ntPassword attribute (as is a typical implementation). It works great, but causes some issues on our side (more process that technical), so I wrote a SunOne passwd storage plugin that creates an NT hash and uses that vs. the standard CLEAR,SHA-1,SSHA, etc. schemes. My plugin that creates an NT hash instead works as expected with users who are being added, binding to the repository. Essentially all things LDAP are fine. My questions focus around how freeRadius authenticates against LDAP.
My main question is can I modify the LDAP attribute mapping to point the NT-Password to userPassword, and have it work? I'm concerned that freeRadius isn't going to understand my {NT} prefix that's prepended to the password. Even if I declare it in the LDAP module, is my only way to indicate that it's a NT hash by pointing the NT-Password attribute at it? Also, I have an additional concern that since it's not currently being written as "0x" and the password, that freeRadius won't see it either. Should I then create such that the password is seen as "{NT}0x" followed by the password?
I'm in the process of testing now, but I was wondering if anyone has gone down this road before. If not, I'll update if anyone want to know what I did...
--J.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
