[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where is info about {KERBEROS} ?

To: Jan-Piet Mens <jpm@Retail-SC.com>
Subject: Re: Where is info about {KERBEROS} ?
From: Adam Williams6 <awilliam@whitemice.org>
Date: Mon, 15 Apr 2002 10:06:57 -0400 (EDT)
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.43.0204151410210.2340-100000@mambox.intdus.retail-sc.com>

>>This is simply no way of getting the password back, and to be blunt, you
>>don't want there to by any way to do that.
>If you don't allow clear-text passwords back, how do you design a system where
>you have a RADIUS daemon which requires the clear password to do CHAP (not PAP)
>authentication ?

Use M$-CHAPv2.  It is a challenge-response protocol but will work with an 
NT password hash (almost clear text).  If your PDC is samba with 
ldapsam then you simply design the ACL to permist the daemon (radius, ppp, 
whatever) to *read* the ntpassword attribute.   Recent pppd(s) support 
M$-CHAPv3, I don't know anything about radius.  I assume you could dig the 
NT hash out of ADS somehow, but I don't kow anything about ADS.

-- 
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------

Follow-Ups:
- Re: Where is info about {KERBEROS} ?
  - From: Jan-Piet Mens <jpm@Retail-SC.com>

Prev by Date: RE : RE : RE : Non ASCII char in dn?
Next by Date: partial replication
Index(es):
- Chronological
- Thread