The docs do tend to gloss over the bits about how to get the needed password
into your LDAP store (besides just saying cleartext or LN/NT). First, check
that the user you have setup for ldap to use has auth (not read) access to the
userPassword attribute, which I think is true since you said radtest works for
ldap users. That user (and really only that user (hopefully not using the
superuser)) should also be able to read the LM/NT password fields ( access to
attrs=sambaLMPassword,sambaNTPassword by ssf=128
dn.exact="cn=LdapProxyUser,dc=example,dc=com" read by self write by * none,
the ssf=128 only allows if ssl/tls is used). These fields are in the
samba.schema file, which you will have to go look for (usually in the samba
package), and are typically labeled sambaLMPassword and sambaNTPassword,
depending on which version of that schema you get. Edit the ldap.attrmap file
to match the field names, should be obvious what to change in there, if needed.
Add the sambaSamAccount!
class to your users*, and once the fields are there, use the samba password
util to generate the hashes by hand (cant remember its name, smbpasswd?), use
the perl Cypt::SmbHash module to build a perl-script to hash them, or look in
the contrib/ dir of the openldap source for the smbk5pwd module** that will
autogen and sync the hashes whenever someone changes their pw (if pw changes
are set to use ldap exop). Since you are using the Atlassian openLDAP, Im
guessing the module option is out, though you can probably recompile openLDAP
from source with the module and just make sure their schemas are put in place
and use a slapcat ldiff to repopulate, or create a separate LDAP tree and tell
the atlassian stuff to auth to it instead, or use crowd... Once LM/NT passwords
are good, just turn on mschapv2 and have an SSL cert ready for it with the
windowsxp v3 extensions and it should "just work" after all that ;) .
-T
* sambaSID is a required value for this schema, if you don't already have SIDs
for your users (AD assigns them in Windoze land), and no grand scheme for this
to be critical, something like S001-100-$uidNumber works well
**compiling this requires either heimdal dev libs present during compile, or
editing the makefile and src to disable the heimdal lib includes (and thus krb5
(kerberos) hash support). This also means, if you add the krb5 schema to ldap,
you can use this module to sync your kerberos pass as well.
----- Original Message -----
Date: Wed, 22 Jul 2009 10:54:57 -0500 (CDT)
From: Eric Bourkland <eric.bourkl...@trustedconcepts.com>
Subject:
To: t...@kalik.net, FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID:
<10598636.13761248278097270.javamail.r...@tci01.managed.contegix.com>
Content-Type: text/plain; charset=utf-8
What would be the best solution since freeRadius currently can't get the
password out of my openLDAP unless it is using PAP, it gets the password in the
request via PEAP. I would like to avoid having to tell everyone with a windows
client that they need to install SecureW2.
What would be nice is if it was smart enough to recieve the request in multiple
formats/protocols and then translate it into multiple formats/protocols to
query out to flat file/DB/LDAP or AD instead of just passing the request along.
Although there is the risk of something getting messed up with scripts
converting protocols and there are probably a million different scenarios out
there. Maybe I'm missing something since I'm still new to Radius.
Is the easiest thing to do is to monkey with the openLDAP schema and add some
cleartext password attributes? If I get this done is there some place in one
of the config files that I need to update to look for a particular password
attribute when Radius tries to do the authentication or does it figure it out
for itself?
I have been beating my head against a wall for about a week on this and the
documentation mocks me by always saying it just works.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
