Re: Digest authentication over FreeRadius against an LDAP server

Alan DeKok wrote:

> "A. Burak Gurdag" <bgurdag@gmail.com> wrote:
>
>>I can manage to do digest authentication (according to
>>sterman-draft-00) over FreeRadius against an LDAP server in which user
>>passwords are stored in cleartext. I would like to store passwords in
>>SSHA or MD5 encoded form in the LDAP server. But it does not seem
>>possible since FreeRadius has no way to know the password to calculate
>>the digest to authenticate. Am I wrong?
>
>
> You're right. It's impossible.
>
>
>>Do I have to delegate the digest calculation and verification to the
>>LDAP server to achieve this (in this case I have to put my focus on
>>the LDAP server that I use)?
>
>
> You can't. The LDAP server has no more information that FreeRADIUS
> has, and therefore can't do anything different.
>
> And there are *no* LDAP servers that can do digest authentication.
> That I can guarantee.
>
>
>>Is there another way that you can suggest?
>
>
> Store clear-text passwords in LDAP.
>
> Alan DeKok.
>

Or use EAP-TTLS/PAP to get a clear text password from your clients
and use encrypted passwords in LDAP.

--Craig

--
/ Craig Huckabee | e-mail: huck@spawar.navy.mil /
/ Code 715-CH | phone: (843) 218 5653 /
/ SPAWAR Systems Center | close proximity: "Hey You!" /
/ Charleston, SC | ICBM: 32.78N, 79.93W /


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html