I have zimbra openLDAP v2.3.43 running on RHEL4.7 ES and I am trying to connect our freeRadius server to authenitcate against LDAP. I have also being trying to stand up plane openLDAP v2.4.17 to see if I can get that to work. Free Radius requires PEAP/CHAPv2 to authenticate, which means it needs to be handed a clear text password in order to work. Yes, I know in general this is not a good idea. How can I configure openLDAP to store passwords (userpassword attribute) in cleartext. Or at the very least create a script that will be able to take the encrypted password and store it in cleartext as another attribute.
Thanks,
Using slapd.conf... password-hash {CLEARTEXT} Using cn=config... olcPasswordHash {CLEARTEXT} See the slapd.conf manual for details. On Thu, Jul 23, 2009 at 1:13 PM, Eric Bourkland < eric.bourkland@trustedconcepts.com> wrote:
I have zimbra openLDAP v2.3.43 running on RHEL4.7 ES and I am trying to connect our freeRadius server to authenitcate against LDAP. I have also being trying to stand up plane openLDAP v2.4.17 to see if I can get that to work. Free Radius requires PEAP/CHAPv2 to authenticate, which means it needs to be handed a clear text password in order to work. Yes, I know in general this is not a good idea. How can I configure openLDAP to store passwords (userpassword attribute) in cleartext. Or at the very least create a script that will be able to take the encrypted password and store it in cleartext as another attribute.
Thanks,
On Thursday, 23 July 2009 20:13:48 Eric Bourkland wrote:
I have zimbra openLDAP v2.3.43 running on RHEL4.7 ES and I am trying to connect our freeRadius server to authenitcate against LDAP. I have also being trying to stand up plane openLDAP v2.4.17 to see if I can get that to work. Free Radius requires PEAP/CHAPv2 to authenticate,
No, FreeRADIUS can bind to the directory to validate clear-text passwords. However, if you require PEAP/CHAPv2, then you need a valid mechanism for generating a CHAPv2 challenge.
which means it needs to be handed a clear text password in order to work.
No, CHAPv2 challenges can be generated from an NT password hash, such as those used by samba. FreeRADIUS supports this, using e.g. the sambaNTPassword attribute.
I don't think zimbra ships the smbk5pwd overlay in their OpenLDAP packages (even though there is a zimbra extension for Samba), but if they did, this would provide an easy means of ensuring that the sambaNTPassword hashes are kept up-to-date.
Yes, I know in general this is not a good idea. How can I configure openLDAP to store passwords (userpassword attribute) in cleartext. Or at the very least create a script that will be able to take the encrypted password and store it in cleartext as another attribute.
In other brute-force the passwords? That would take a long time.
I assume what you are trying to do here is WPA2 with PEAP/MSCHAPv2. I found this quite easy to implement on an existing OpenLDAP directory that was already being used for samba, with no clear text passwords for users anywhere.
Regards, Buchan
On Thu, Jul 23, 2009 at 4:13 PM, Eric Bourklanderic.bourkland@trustedconcepts.com wrote:
Or at the very least create a script that will be able to take the encrypted password and store it in cleartext as another attribute.
Waste of time. You should use social engineering (hint: password policies)
Hi,
Or at the very least create a script that will be able to take the encrypted password and store it in cleartext as another attribute.
Waste of time. You should use social engineering (hint: password policies)
Not to mention it may be difficult to acheive if all the passwords are strong enough and well encrypted.
If you absolutely need access to the cleartext passwords, the easiest way is to ask your users (with a way to force them to provide it to you: for example the next time they login, you force them to change their password and this time you store it in cleartext).
Olivier
openldap-technical@openldap.org
-
Buchan Milne -
Eric Bourkland -
Matt Kassawara -
Norberto Bensa -
Olivier Nicole