LDAP Data Mangling

[Kevin Ehlers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/3/10 2:30 PM, Alan DeKok wrote:
> Kevin Ehlers wrote:
>> Is it possible to modify attributes returned from ldap?  E.g. We're
>> trying to do wpa-enterprise with peap-mschapv2.  We store our nt hash
>> passwords as "{nthash}<hash>" instead of "{nt}<hash>".  It looks like
>> the mschap module doesn't auto-detect the hash-type correctly, and says
>> that it never received a valid password hash.  All authentication fails
>> at this point.
> 
>   The PAP module is the one which does the password mangling.
> 
>> We store it as {nthash} because that's what our other radius servers
>> (radiator) expect to see.
> 
>   I can add the {nthash} format for 2.1.10.  In the mean time, try
> putting this into the "authorize" section, just before the "pap" module:
> 
> 	if (control:User-Password =~ /^{nthash}(.*)/) {
> 		update control {
> 			User-Password := "{nt}%{1}"
> 		}
> 	}

Hi Alan,

Thanks for pointing me in the right direction.

I found a solution that works in the mean-time by writing a perl module.
 I'm using the perl module during the authorize section in the
inner-tunnel virtual server.  What it does is query ldap, and get the
nt-password attribute from our ldap server.  It then does a $nt-password
=~ /^{nthash}(.*)$/.  From there, I update the control packet
$RAD_CHECK{NT-Password} = $1.  And then it returns OK.

It looks like the ldap module rejects the password and doesn't store it
in the User-Password or NT-Password field.  I tried updating the
ldap.attrmap, and it still didn't store it.  When I tried the
control:User-Password =~ /regex/, there was nothing to match it to.

Thanks,

- -- 
Kevin Ehlers
Network Engineer
University of Oregon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyHuFEACgkQ0l216NgIDrys/QCfUg8v3U3ZObjpS7G6FswGkaH2
5uoAoIC3dFLS1cXNrAdnEZ/sYjvZElIZ
=0f4H
-----END PGP SIGNATURE-----