On 10/27/2010 07:11 PM, Sven Hartge wrote:
You need a password in the clear in your LDAP directory, not hashed. I use a
different (self defined) attribute in my LDAP directory to do this and
use ldap.attrmap to map this attribute (called gifb-NetzPassword in my
schema) to the required RADIUS-Attribute-Name:
checkItem Cleartext-Password gifb-NetzPassword
Sven knows this but probably just forgot to mention this. No matter
which ldap attribute you choose to store the clear text password in make
sure it is absolutely locked down with LDAP ACI's (Access Controls).
Consult your LDAP documentation for the exact syntax since it tends to
vary with different servers. The ACI should permit only the LDAP
administrator and the radius user (the special user account assigned
exclusively to the radius *server*) to access the password attribute.
You may additionally provide an extra level of protection if some one
gets access to the actual disk files (or backup's) of the LDAP store by
asking your ldap server to reversibly encrypt the attribute used to
store the cleartext password. Not all LDAP servers have this feature but
many do.
Finally, many people would argue it's never a good idea to store
cleartext passwords under any circumstance. There is much validity to
that argument and you should give it careful consideration.
Another option besides storing cleartext is to use a multivalued LDAP
attribute with different hashes, including the nt hash. But whether you
go the cleartext route or the multivalued password attribute route
you'll have to get your users to renter their passwords so you can
generate the hashes. Consult your LDAP documentation, many LDAP servers
can be configured when storing a password to generate a variety of
hashes and then throw the cleartext away leaving only the specified
hashes in LDAP.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
