Re: Authentification link with PEAP + PAM + LDAP
"thomas hahusseau" <[EMAIL PROTECTED]> wrote: > So I wonder if that kind of authentication is possible. > > PEAP(MsCHAP) request --> Freeradius server (extract the hashed > password ) There is NO hashed password in MSCHAP. Extraction is IMPOSSIBLE. > PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. PAM is not a magic solution that lets you do something FreeRADIUS can't. PAM does a lot LESS than FreeRADIUS, in fact. > My boss only wants cipher/hashed password and login. As Joe said, store NT-Password in LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification link with PEAP + PAM + LDAP
On 7 Jun 2006, at 13:07, thomas hahusseau wrote: Hello, Finally my boss is not interested in an PEAP authentication due to password and login stocked in clear in the OpenLDAP database, and he doesn't want to use the ntlm_auth to ask a Active Directory Server. So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request --> Freeradius server (extract the hashed password ) --> Authentication request sent to PAM (login + Hashed password ) via rlm_auth ---> OpenLDAP Server ( compare hashed password received with the one stocked in database ) You don't need to use PAM - in fact, I don't think its possible. Store your users' passwords in the NTLM hash, and authenticate directly from FreeRADIUS to LDAP. josh. PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. My boss only wants cipher/hashed password and login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Josh Howlett, Networking Specialist, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 | interal: 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification link with PEAP + PAM + LDAP
Hello, Finally my boss is not interested in an PEAP authentication due to password and login stocked in clear in the OpenLDAP database, and he doesn't want to use the ntlm_auth to ask a Active Directory Server. So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request --> Freeradius server (extract the hashed password ) --> Authentication request sent to PAM (login + Hashed password ) via rlm_auth ---> OpenLDAP Server ( compare hashed password received with the one stocked in database ) PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. My boss only wants cipher/hashed password and login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html