Re: Radius authentication and storing passwords in cleartext

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday, 23 July 2009 20:13:48 Eric Bourkland wrote:
> I have zimbra openLDAP v2.3.43 running on RHEL4.7 ES and I am trying to
> connect our freeRadius server to authenitcate against LDAP.  I have also
> being trying to stand up plane openLDAP v2.4.17 to see if I can get that to
> work. Free Radius requires PEAP/CHAPv2 to authenticate,

No, FreeRADIUS can bind to the directory to validate clear-text passwords. 
However, if you require PEAP/CHAPv2, then you need a valid mechanism for 
generating a CHAPv2 challenge.

> which means it
> needs to be handed a clear text password in order to work.

No, CHAPv2 challenges can be generated from an NT password hash, such as those 
used by samba. FreeRADIUS supports this, using e.g. the sambaNTPassword 
attribute.

I don't think zimbra ships the smbk5pwd overlay in their OpenLDAP packages 
(even though there is a zimbra extension for Samba), but if they did, this 
would provide an easy means of ensuring that the sambaNTPassword hashes are 
kept up-to-date.

> Yes, I know in
> general this is not a good idea. How can I configure openLDAP to store
> passwords (userpassword attribute) in cleartext. Or at the very least
> create a script that will be able to take the encrypted password and store
> it in cleartext as another attribute.

In other brute-force the passwords? That would take a long time.

I assume what you are trying to do here is WPA2 with PEAP/MSCHAPv2. I found 
this quite easy to implement on an existing OpenLDAP directory that was 
already being used for samba, with no clear text passwords for users anywhere.

Regards,
Buchan