LDAP Password Comparison

The Password Comparison feature authenticates users against a hashed password stored in an optional LDAP attribute, instead of the standard password attribute. This feature is designed for Microsoft Active Directory user repositories.

The attribute containing the hashed password can be any user attribute in Active Directory. It must contain the hashed password in the format {HASH_TYPE}hashed_Password_Base64_Encoded (case-sensitive).

An account with appropriate permissions to read the specified attribute from Active Directory is required.

Automatic user locking

When Password Comparison is enabled, the LDAP user locking feature is automatically enabled and cannot be disabled. This prevents brute-force attacks by locking the user after a configurable number of failed attempts for a specified duration.

---

Supported password hashes

Hash type	Description
{SHA}	SHA-1 hash algorithm
{SSHA}	Salted SHA
{CRYPT}	Unix crypt function
{MD5}	MD5 hash algorithm
{SMD5}	Salted MD5 algorithm

The plain-text password must be UTF-8 encoded and the resulting hash must be Base64 encoded.

---

Hashing process

1. Hash the UTF-8 plain-text password using one of the supported algorithms.

   Example — MD5 hash of “password”:

   5f4dcc3b5aa765d61d8327deb882cf99

2. Base64 encode the hash output.

   Hex:    5f4dcc3b5aa765d61d8327deb882cf99
   Base64: X03MO1qnZdYdgyfeuILPmQ==

3. Prepend the hash algorithm name in curly brackets. The hash type string is case-sensitive.

   Valid examples for the password “password”:

   • {SSHA}VtpoxGYLenxwGC88loHYDwb1SpqBbOb6c1OyZiyAQcgFYPPnqRFviA==
   • {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
   • {CRYPT}aajfMKNH1hTm2
   • {MD5}X03MO1qnZdYdgyfeuILPmQ==
   • {SMD5}swXK27O85U86pZxk/sAN6nNhbHQ=

Case sensitivity

{CRYPT}aajfMKNH1hTm2 works, but {crypt}aajfMKNH1hTm2 will fail.

---

Enable Password Comparison

1. Open the LDAP Server Configuration dialog.

2. Select the Authentication tab.

3. In the Password Override field, specify the Active Directory attribute that stores the hashed password.

   For example, using the physicalDeliveryOfficeName attribute:

   

4. Ensure the authentication type, mobile number, and/or token number settings are correct.

5. Save the configuration.

After saving, RADIUS authentication will validate against the hashed password in the specified LDAP attribute.

Related pages

• LDAP Profiles — Configure LDAP directory connections
• RADIUS Translation — Map LDAP attributes to RADIUS responses