On Tue, 8 Feb 2005, Jason Howk wrote:

OK.  I think I found my issue...

When mapping the NT-Password to the userPassword, freeRadius is not reading beyond the first character of the attribute when it's a "{". Subsequently all that I see is, "Adding userPassword as NT-Password, value { & op=21". To see if it was just this attribute or others, I tried the same thing with the ntPassword attribute. The same result happened. It seems that regardless of attribute being mapped, if there's a "{" in the attribute, freeRadius won't read any further -- or that's what it seems like it's doing.

My attr_rewrite module is active but obviously doesn't see the whole string, and so isn't re-writing anything meaningful. Is there something that I need to be doing for it to read or is it a limitation?

It's a limitation. Please wait till tomorrow, i 'll work out a solution in the meantime.



Thanks, J.


On Feb 8, 2005, at 4:11 AM, Kostas Kalevras wrote:

On Mon, 7 Feb 2005, Jason Howk wrote:

I'm wondering if anyone has ever tried to put an NT hash password directly into the LDAP userPassword field, and have it authenticated through free radius.

Here's the situation:

We have a working configuration that is setup as EAP-LEAP and LDAP where the NT hash is stored in the ntPassword attribute (as is a typical implementation). It works great, but causes some issues on our side (more process that technical), so I wrote a SunOne passwd storage plugin that creates an NT hash and uses that vs. the standard CLEAR,SHA-1,SSHA, etc. schemes. My plugin that creates an NT hash instead works as expected with users who are being added, binding to the repository. Essentially all things LDAP are fine. My questions focus around how freeRadius authenticates against LDAP.

My main question is can I modify the LDAP attribute mapping to point the NT-Password to userPassword, and have it work? I'm concerned that freeRadius isn't going to understand my {NT} prefix that's prepended to the password. Even if I declare it in the LDAP module, is my only way to indicate that it's a NT hash by pointing the NT-Password attribute at it? Also, I have an additional concern that since it's not currently being written as "0x" and the password, that freeRadius won't see it either. Should I then create such that the password is seen as "{NT}0x" followed by the password?

I'm in the process of testing now, but I was wondering if anyone has gone down this road before. If not, I'll update if anyone want to know what I did...

I think your best choise would be to continue mapping the userpassword attribute to NT-Password and use the attr_rewrite module after the ldap module in the authorize section to remove the {NT} part and addd a '0x' at the start of NT-Password.



--J.


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to