[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where is info about {KERBEROS} ?

To: Adam Williams6 <awilliam@whitemice.org>
Subject: Re: Where is info about {KERBEROS} ?
From: Jan-Piet Mens <jpm@Retail-SC.com>
Date: Mon, 15 Apr 2002 16:25:30 +0200 (CEST)
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.44.0204151003350.27470-100000@estate1.whitemice.org>

any ideas for a Unix-only shop ? :-) Cisco routers, XT-Radius daemon, OpenLDAP
and no PDC.


On Mon, 15 Apr 2002, Adam Williams6 wrote:

> >>This is simply no way of getting the password back, and to be blunt, you
> >>don't want there to by any way to do that.
> >If you don't allow clear-text passwords back, how do you design a system where
> >you have a RADIUS daemon which requires the clear password to do CHAP (not PAP)
> >authentication ?
>
> Use M$-CHAPv2.  It is a challenge-response protocol but will work with an
> NT password hash (almost clear text).  If your PDC is samba with
> ldapsam then you simply design the ACL to permist the daemon (radius, ppp,
> whatever) to *read* the ntpassword attribute.   Recent pppd(s) support
> M$-CHAPv3, I don't know anything about radius.  I assume you could dig the
> NT hash out of ADS somehow, but I don't kow anything about ADS.

References:
- Re: Where is info about {KERBEROS} ?
  - From: Adam Williams6 <awilliam@whitemice.org>

Prev by Date: Strong Auth with openldap. (Weird behaviour !)
Next by Date: Re: partial replication
Index(es):
- Chronological
- Thread