On Tue, 2 Jul 2002, Mike Denka wrote:
> I'm trying to authenticate via OpenLDAP-2.0.23 using the ldap module in
> the radiusd.conf file and using ldap authentication and authorization in
> the users file. The authentication works just fine when I add a dialup
> account in the ldap database and use a cleartext password for the
> userPassword attribute (actually, when you assign a clear text password
> to the userPassword attribute, I believe the default hash is SHA1).
> However, if I put a DES hashed password from an existing /etc/shadow
> file into the userPassword attribute using the following notation:
>
> userPassword: (crypt)rPjsdFT9er*6o
use:
userpassword: {crypt}rPjsdFT9er*6o
>
> authentication breaks down. I can't authenticate to a crypt hashed
> password in the ldap database. Does anyone have a possible explanation
> for this behavior? During authentication to the ldap server, does
> radius send the password to the ldap server in clear text
> (notwithstanding the use of SSL which would encrypt the entire
> transaction)? I'm thinking the process goes as follows:
>
> NAS encrypts the cleartext password from the dialup user with shared
> secret
> FreeRadius decrypts the password from the NAS using the shared secret
> FreeRadius sends clear text password to LDAP server
>
> Is this the correct understanding?
>
> When radius tries to authenticate via ldap, does it do so with a bind
> operation or some other type of authentication operation? In the
> current ldap config file, I allow anonymous "auth" access to
> userPassword. Is the radius authentication to ldap using "auth" access?
If you do authentication with the ldap module it will try to do an LDAP BIND
operation. That means that it will send the user DN and password to the ldap
server and wait for a response. In other words it will send the cleartext
password over the wire. You can secure the connection by enabling TLS (start_tls
configuration directive).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
> I'm thinking my problem is quite likely an OpenLDAP issue, but I can't
> get any response from the openLDAP mailing list - it appears to be down
> or gone - and I'm betting there are other freeradius users out there who
> are using ldap authentication with openldap who have probably dealt with
> this and solved the problem.
>
> Thanks very much,
>
> Mike
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
