AW: Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request

Wed Jan 17 20:37:07 CET 2007

Hello. 

>   Why not?  There's a reason that the ntlm_auth configuration is
> editable in the mschap module.  Just edit it to do whatever you want.
> If all else fails, replace ntlm_auth with a Perl script that looks at
> the environment variables, and determines the proper arguments to use.

Ahem. From my original message you may have read that your suggestion describes
precisely what I am trying to implement, and that modifying the parameters
passed to ntlm_auth is exactly my intention.

I also understand that I could use a wrapper script or possibly do all sorts of
things with %{exec:} and/or %{expr:}. I could also do some simple text mangling
with the User-Name attribute as passed by the XP supplicant. However, the most
elegant way of working around the servicePrincipalName that XP seems to provide
when no user is logged on[1], would be to query MSAD for the corresponding
sAMAccountName, and use that for NTLM authentication.

I could write some Perl or Python or shell script that retrieves that
information from MSAD, invoke that script via %{exec:}, and put its output in
the ntlm_auth command arguments (or invoke it instead of ntlm_auth, for that
matter). However, it seems sort of ridiculous to run an additional LDAP query
for just that purpose, considering all the relevant information should already
be available to FreeRADIUS at that point.

So, to clarify my original question. What I want is this:

1. Put the value of an LDAP attribute (sAMAccountName) into a variable when the
user is authorized in LDAP.
2. Access that variable when the user is being authenticated via MS-CHAPv2, and
put it into the --username argument of ntlm_auth.

I do understand that this would require registering said variable in dictionary
and ldap.attrmap. I also understand that I need to set up a proper filter in the
configuration of the ldap module, for correct authorization of the "user" that's
being identified by it servicePrincipalName in this case. I have done all that.
What else would I need, if what I'm trying to do is at all possible?

Cheers,
Florian

[1] Yes, a rant about the XP supplicant providing "wrong" data in this case is
in order, however that's not going to persuade my customer to switch to Ubuntu.
:-)

The information contained in this e-mail message is privileged and
confidential and is for the exclusive use of the addressee. The person
who receives this message and who is not the addressee, one of his
employees or an agent entitled to hand it over to the addressee, is
informed that he may not use, disclose or reproduce the contents thereof.