23 Mar
2006
23 Mar
'06
5:43 p.m.
Norman Elton <normelton@gmail.com> wrote:
Can FreeRadius extract the password out of the MS-CHAP-v2 request, and use it to bind against LDAP over SSL?
No. MS-CHAPv2 is designed to make that impossible.
I would much rather not have to tackle Kerberos, as it looks much more complicated.
If you can't obtain the clear-text (or NT) password from LDAP, then what youy're trying to do is impossible. MS-CHAP is designed to make it impossible to get the clear-text password from the MS-CHAP data. Kerberos is designed to never give the password to the application. FreeRADIUS sits in the middle, and gets locked out by both ends. Alan DeKok.