(RADIATOR) LDAP Attribute manipulation via PostSearchHook

Tue Jul 25 08:06:30 CDT 2006

Good point, Hugh.

I now recall that we had asked our LDAP vendor (iSilver) to modify their
password creation/modification routines to specifically prepend "0x" to the
"ntpassword" attribute.  It seemed that this was the only way to get LEAP
authentication to work properly with freeRADIUS (what we've been using up to
now).

I've sent them a support request to change things so that "ntpassword" gets
prefixed with "{nthash}" instead of "0x".  Then I won't even have to bother
with the PostSearchHook!

Thanks for the feedback,

Bryan 

> -----Original Message-----
> From: owner-radiator at open.com.au 
> [mailto:owner-radiator at open.com.au] On Behalf Of Hugh Irvine
> Sent: Monday, July 24, 2006 7:56 PM
> To: Woods, Bryan
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) LDAP Attribute manipulation via PostSearchHook
> 
> 
> Hello Bryan -
> 
> I would have thought that it would make more sense to fix the 
> data in your LDAP database for both forms of passwords. Ie. 
> remove the "{crypt}" from the Linux passwords and the "0x" 
> from the NT passwords. Then you won't have to complicate your 
> Radiator configuration.
> 
> regards
> 
> Hugh
> 
> 
> On 25 Jul 2006, at 02:43, Woods, Bryan wrote:
> 
> > I'm trying to authenticate against openLDAP (AuthBy LDAP2) using an
> > NT-hashed password.  For whatever reason, my LDAP stores 
> the NT-hashed
> > password with a prefix of '0x', not the {nthash} that RADIATOR is  
> > expecting.
> >
> > Based on what I have found in the docs and list archives, I  
> > understand that
> > I need to use the PostSearchHook clause to manipulate the LDAP  
> > attribute
> > (the LDAP attribute is called 'ntpassword').  When I 
> replaced the '0x'
> > prefix with '{nthash}' directly in LDAP, I can authenticate just  
> > fine.  And
> > I managed to find the config snippet in the list archives that's  
> > supposed to
> > prefix the '{nthash}' as part of the PostSearchHook part:
> >
> > 		PostSearchHook sub {my $ntpassword =
> > $_[3]->get_check->get_attr('ntpassword');\
> > 		$_[3]->get_check->change_attr('ntpassword',
> > "{nthash}$ntpassword");}
> >
> > I also included this line in my config as the docs suggested was  
> > necessary:
> >
> > 		AuthAttrDef ntpassword,GENERIC,request
> >
> > But what I need to do is have this PostSearchHook clip the 
> '0x' off  
> > the
> > front of the ntpassword attribute and then add the '{nthash}'  
> > piece.  Can
> > someone offer a little help in figuring out what the 
> PostSearchHook  
> > should
> > look like?
> >
> > Thanks,
> >
> > Bryan Woods
> > Assistant System Administrator
> > Pomona Unified School District
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/ 
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.