On Thursday, 23 July 2009 20:13:48 Eric Bourkland wrote:
I have zimbra openLDAP v2.3.43 running on RHEL4.7 ES and I am trying
connect our freeRadius server to authenitcate against LDAP. I have also
being trying to stand up plane openLDAP v2.4.17 to see if I can get that to
work. Free Radius requires PEAP/CHAPv2 to authenticate,
No, FreeRADIUS can bind to the directory to validate clear-text passwords.
However, if you require PEAP/CHAPv2, then you need a valid mechanism for
generating a CHAPv2 challenge.
which means it
needs to be handed a clear text password in order to work.
No, CHAPv2 challenges can be generated from an NT password hash, such as those
used by samba. FreeRADIUS supports this, using e.g. the sambaNTPassword
I don't think zimbra ships the smbk5pwd overlay in their OpenLDAP packages
(even though there is a zimbra extension for Samba), but if they did, this
would provide an easy means of ensuring that the sambaNTPassword hashes are
Yes, I know in
general this is not a good idea. How can I configure openLDAP to store
passwords (userpassword attribute) in cleartext. Or at the very least
create a script that will be able to take the encrypted password and store
it in cleartext as another attribute.
In other brute-force the passwords? That would take a long time.
I assume what you are trying to do here is WPA2 with PEAP/MSCHAPv2. I found
this quite easy to implement on an existing OpenLDAP directory that was
already being used for samba, with no clear text passwords for users anywhere.