MSCHAPV2 + OpenLDAP

Клеусов Владимир Сергеевич Kleusov.Vladimir at wildberries.ru
Tue Aug 11 10:31:01 CEST 2020


Thanks.
I don't quite understand.
> 2. Store your NT-hashed passwords there 
How do I do this ?


> 10 авг. 2020 г., в 20:10, Martin Pauly <pauly at hrz.uni-marburg.de> написал(а):
> 
> Am 03.08.20 um 20:04 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
>> cleartext is not suitable.
> sure, and not needed either.
>> Is there an instruction for enabling nthash in openldap ?
> In principle, yes -- but be careful. The ancient NTLM Hash is pretty close to cleartext in 2020,
> so make sure nobody steals the hash.
> 
> 1. Create an attribute conataining NTLMHash in your OpenLDAP schema, named e.g. MyNTPassword
> 2. Store your NT-hashed passwords there
> 3. In mods-available/ldap, there's already a well-prepared config line for you in the update{} section
>   starting with control:NT-Password. On the right hand's side of this assignment, adjust the LDAP
>   attribute Name e.g. to MyNTPassword an uncomment the line
> 
> The result looks similar to:
> 
> ldap {
>        [...]
>        update {
>                control:NT-Password             := 'MyNTPassword'
>                [...]
>        }
> 	[...]
> }
> 
> FR will pull the NTLM Hash from LDAP and perform the server side of the MS-CHAP authentication itself,
> no Windows server needed.
> 
> HTH, Martin
> 
> 
> -- 
>  Dr. Martin Pauly     Phone:  +49-6421-28-23527
>  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
>  Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
>  D-35032 Marburg
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list