On Wed, Mar 7, 2012 at 1:53 AM, Fajar A. Nugraha <[email protected]> wrote: > On Wed, Mar 7, 2012 at 12:32 AM, Stefano Zanmarchi <[email protected]> > wrote: >> Hi, >> my aim is to to have eap-ttls/pap working using an openldap user >> database with MD5 >> hashed passwords. I got it working configuring ldap parameters in >> /etc/raddb/modules/ldap >> and applying two changes in /etc/raddb/sites-available/inner-tunnel: >> 1) uncommented "ldap" in the authorize section >> 2) uncommented these lines in the authenticate section: >> Auth-Type LDAP { >> ldap >> } >> Am I doing it right? > > The documentation advised against that. > > Instead, you should find out which LDAP attribute stores your > MD5-password, add the correct mapping to ldap.attrmap, and leave > Auth-Type section commented-out. > > It shouldn't affect the result though, since you don't have > cleartext-password stored in LDAP.
I should've said "It shouldn't affect the result FOR YOU, since you don't have cleartext-password stored in LDAP, and only have MD5 hash". If you have NT-hash version of the password stored instead, then the choice of forcing auth-type or not means the difference between being able to use (EAP-)MSCHAPv2 or not. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
