<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">Hello List!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">I got a
machine up and running Freeradius 2.1.0 with SSL support to secure a Wireless
LAN. In our school’s network we (have to) use an Apple Mac OS X 10.4 Server
with Samba as the PDC. Samba stores the user information using the
OpenDirectory on the same server – using the NTLM password hashes… so far,
there should be no problem for Freeradius using LDAP to connect to the OD an
retrieve the NTLM hash to authenticate the wireless clients. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">But: The
Apple version of Samba/OD doesn’t store the password hashes in a single
attribute like “ntPassword” but has an attribute authAuthority wherein I can
find the password hash along with other data. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">It looks as
follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">;ApplePasswordServer;0x483c17c8243ef2e50000006300000063,1024
35
125970781877265371419068079752014021791262844836946048377957311154497136228042965757375847122307734052483074746624578126000618735633773317278498981627114249689772743602420918339130341864974993436477801319895573061225381390477597326815293162022588098739972549400419565510594125451003170841605019718114727580097
</span><a href="mailto:root@schulserver.intern:10.10.1.1"><span lang="EN-US" style="mso-ansi-language:EN-US">root@schulserver.intern:10.10.1.1</span></a> <span lang="EN-US" style="mso-ansi-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">Question:
Is there a possibility of modifying the LDAP return value (e.g. by a regex) so
that I only get the hash? I’ve searched the web for over two weeks now, but
haven’t found an answer, that satisfies me.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">I know, I
also could use ntlm_auth for authentication, but as far as I can see, I
couldn’t select a user group to be granted access. Either all users that Samba
knows or none. Via LDAP/OP I could select a single group (e.g. named
“WirelessAccess”) that will be successfully granted access to the Wireless. Or
am I mistaken at that point?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">Any help
would be greatly appreciated!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">Thanks in
advance,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-ansi-language:EN-US">moenster<o:p></o:p></span></p><div style="z-index: -1; position:absolute; top:0px; left: 0px; width: 100%; height: 438px;"></div> <br /><hr />Windows 7 - <a href='http://redirect.gimas.net/?n=M1002Win7' target='_new'>Alles was Du brauchst und noch viel mehr!</a></body>
</html>