O.K., I've almost got this working... The LDAP stores the NT password in a field called 'ntpassword'. It is stored as a standard NT-hash - '8846F7...'. I've modified the LDAP module section so that it uses 'password_attribute = ntpassword'. Now, if I stick 'password' (un-hashed) into the ntpassword attribute in the LDAP, I can authenticate as 'leap_test' (that's my test user) with the password 'password'. However, if I reset the password attribute to the hashed NT password, it fails with:
Rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP. So, it seems that my problem has to do with the fact that the leap module isn't aware that the password in the LDAP is hashed as an NT password. My guess is that folks who use a smbpass file to authenticate LEAP would have the same situation. Has anyone else run into this? I will be most grateful to those who can offer suggestions, sympathy, or a cold beer to assist me with this. Bryan Woods Pomona Unified School District -----Original Message----- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 8:12 AM To: [EMAIL PROTECTED] Subject: Re: LEAP, LDAP & NT-password "Woods, Bryan" <[EMAIL PROTECTED]> wrote: > Since my "real" users are in the LDAP, I won't be using the 'users' > file. So where do I define the Auth-Type? And what value should it be > set to? You don't define the Auth-Type. The server will figure it out on its own. > And I'm guessing that I can setup the ldap section of 'modules' to use > the 'password_attribute' in which we store the ntPassword? Does that > sound correct? I don't use LDAP, but it sounds reasonable. Try it and see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
