On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <ggat...@waddell.com> wrote: > I agree with Jake, in that I *think* it would be possible to have a plugin or > whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't > think one *needs* a cleartext password, but does need some way to compare > apples-to-apples.
That's exactly what Alan is saying: " store your passwords in the LDAP as NT-Password or LM-Password " ... although in my expreiments NT-Password alone is enough, but LM-Password alone is useless. How can you create NT-Password? One way to do that is by hijacking the process where user enters password as plaintext (e.g. from the password prompt when user change their password) and use smbencrypt (part of freeradius) Where do you store NT-Password in LDAP? In ntPassword or sambaNtPassword LDAP attribute (or any other attribute of your choice, as long as you remember to update raddb/ldap.attrmap as well) If you have NT-Password, then you don't need user's cleartext password anymore, and you don't even need any helper tool. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html