I will give it another try. I've been trying to the last hour to get the clear text password policy to stick to a user. Every time I run the radius debug I see hashed value passed from LDAP. I have to search online for the instructions on how to get 389-ds server to use clear text. Thanks for all the help and advice all. This is one of the most responsive lists that I have ever been a member of
-----Original Message----- From: freeradius-users-bounces+midnightsteel=msn....@lists.freeradius.org [mailto:freeradius-users-bounces+midnightsteel=msn....@lists.freeradius.org] On Behalf Of John Dennis Sent: Wednesday, October 27, 2010 7:44 PM To: FreeRadius users mailing list Cc: Sven Hartge Subject: Re: Wireless WPA2 enterprise Radius authentication On 10/27/2010 07:11 PM, Sven Hartge wrote: > You need a password in the clear in your LDAP directory, not hashed. I > use a different (self defined) attribute in my LDAP directory to do > this and use ldap.attrmap to map this attribute (called > gifb-NetzPassword in my > schema) to the required RADIUS-Attribute-Name: > > checkItem Cleartext-Password gifb-NetzPassword Sven knows this but probably just forgot to mention this. No matter which ldap attribute you choose to store the clear text password in make sure it is absolutely locked down with LDAP ACI's (Access Controls). Consult your LDAP documentation for the exact syntax since it tends to vary with different servers. The ACI should permit only the LDAP administrator and the radius user (the special user account assigned exclusively to the radius *server*) to access the password attribute. You may additionally provide an extra level of protection if some one gets access to the actual disk files (or backup's) of the LDAP store by asking your ldap server to reversibly encrypt the attribute used to store the cleartext password. Not all LDAP servers have this feature but many do. Finally, many people would argue it's never a good idea to store cleartext passwords under any circumstance. There is much validity to that argument and you should give it careful consideration. Another option besides storing cleartext is to use a multivalued LDAP attribute with different hashes, including the nt hash. But whether you go the cleartext route or the multivalued password attribute route you'll have to get your users to renter their passwords so you can generate the hashes. Consult your LDAP documentation, many LDAP servers can be configured when storing a password to generate a variety of hashes and then throw the cleartext away leaving only the specified hashes in LDAP. -- John Dennis <[email protected]> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
