(RADIATOR) LDAP Attribute manipulation via PostSearchHook

[Hugh Irvine]

Hello Bryan -

I would have thought that it would make more sense to fix the data in  
your LDAP database for both forms of passwords. Ie. remove the  
"{crypt}" from the Linux passwords and the "0x" from the NT  
passwords. Then you won't have to complicate your Radiator  
configuration.

regards

Hugh


On 25 Jul 2006, at 02:43, Woods, Bryan wrote:

> I'm trying to authenticate against openLDAP (AuthBy LDAP2) using an
> NT-hashed password.  For whatever reason, my LDAP stores the NT-hashed
> password with a prefix of '0x', not the {nthash} that RADIATOR is  
> expecting.
>
> Based on what I have found in the docs and list archives, I  
> understand that
> I need to use the PostSearchHook clause to manipulate the LDAP  
> attribute
> (the LDAP attribute is called 'ntpassword').  When I replaced the '0x'
> prefix with '{nthash}' directly in LDAP, I can authenticate just  
> fine.  And
> I managed to find the config snippet in the list archives that's  
> supposed to
> prefix the '{nthash}' as part of the PostSearchHook part:
>
> 		PostSearchHook sub {my $ntpassword =
> $_[3]->get_check->get_attr('ntpassword');\
> 		$_[3]->get_check->change_attr('ntpassword',
> "{nthash}$ntpassword");}
>
> I also included this line in my config as the docs suggested was  
> necessary:
>
> 		AuthAttrDef ntpassword,GENERIC,request
>
> But what I need to do is have this PostSearchHook clip the '0x' off  
> the
> front of the ntpassword attribute and then add the '{nthash}'  
> piece.  Can
> someone offer a little help in figuring out what the PostSearchHook  
> should
> look like?
>
> Thanks,
>
> Bryan Woods
> Assistant System Administrator
> Pomona Unified School District
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.