Am 24.05.21 um 13:58 schrieb Vertigo Altair:
Is there any way to authenticate users with AD without joining the AD server? There is a workaround, but it is not at all simple, and does have security caveats of its own. Technically, what _any_ MS-CHAP(v2) auth server needs ist the NTLM Hash of the password. This is what is usually stored in a table inside the domain controller an used during authentication. If you can put this data somewhere else (e.g.) in an LDAP Server, FR can pull it from there and do the MS-CHAP calculations autonomously.
BUT: Caveat #1: The NTLM Hashes are about the weakest kind of password hashes I know of. In the above scenario, this the storage serve MUST hand out the hash to FR, e.g. in LDAP ist MUST be readable as a normal attribute. Contrast this to auth'ing against LDAP with e.g. EAP/TTLS-PAP. Here, the password - is hashed with a modern algorithm, currently considered almost uncrackable when stolen. - never leaves the LDAP server. Rather, FR does a bind-as-user with the PAP-transmitted cleartext password, effectively using LDAP as an authentiation oracle. If someone steals the NTLM hashes, consider your passwords gone and open. Caveat #2: - Assuming you do not want to give up your AD, you will need some way to permanently synchronize these hashes. if you have e.g. a self-service web frontend for password changes. The cleartext password provided by the user has to be processed to NTLM hash (and perhaps others, better ones) and pushed to the AD domain and LDAP. Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg