On Thursday, 23 July 2009 20:13:48 Eric Bourkland wrote:
I have zimbra openLDAP v2.3.43 running on RHEL4.7 ES and I am trying to connect our freeRadius server to authenitcate against LDAP. I have also being trying to stand up plane openLDAP v2.4.17 to see if I can get that to work. Free Radius requires PEAP/CHAPv2 to authenticate,
No, FreeRADIUS can bind to the directory to validate clear-text passwords. However, if you require PEAP/CHAPv2, then you need a valid mechanism for generating a CHAPv2 challenge.
which means it needs to be handed a clear text password in order to work.
No, CHAPv2 challenges can be generated from an NT password hash, such as those used by samba. FreeRADIUS supports this, using e.g. the sambaNTPassword attribute.
I don't think zimbra ships the smbk5pwd overlay in their OpenLDAP packages (even though there is a zimbra extension for Samba), but if they did, this would provide an easy means of ensuring that the sambaNTPassword hashes are kept up-to-date.
Yes, I know in general this is not a good idea. How can I configure openLDAP to store passwords (userpassword attribute) in cleartext. Or at the very least create a script that will be able to take the encrypted password and store it in cleartext as another attribute.
In other brute-force the passwords? That would take a long time.
I assume what you are trying to do here is WPA2 with PEAP/MSCHAPv2. I found this quite easy to implement on an existing OpenLDAP directory that was already being used for samba, with no clear text passwords for users anywhere.
Regards, Buchan