-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/3/10 2:30 PM, Alan DeKok wrote:
Kevin Ehlers wrote:
Is it possible to modify attributes returned from ldap? E.g. We're trying to do wpa-enterprise with peap-mschapv2. We store our nt hash passwords as "{nthash}<hash>" instead of "{nt}<hash>". It looks like the mschap module doesn't auto-detect the hash-type correctly, and says that it never received a valid password hash. All authentication fails at this point.
The PAP module is the one which does the password mangling.
We store it as {nthash} because that's what our other radius servers (radiator) expect to see.
I can add the {nthash} format for 2.1.10. In the mean time, try putting this into the "authorize" section, just before the "pap" module:
if (control:User-Password =~ /^{nthash}(.*)/) { update control { User-Password := "{nt}%{1}" } }
Hi Alan, Thanks for pointing me in the right direction. I found a solution that works in the mean-time by writing a perl module. I'm using the perl module during the authorize section in the inner-tunnel virtual server. What it does is query ldap, and get the nt-password attribute from our ldap server. It then does a $nt-password =~ /^{nthash}(.*)$/. From there, I update the control packet $RAD_CHECK{NT-Password} = $1. And then it returns OK. It looks like the ldap module rejects the password and doesn't store it in the User-Password or NT-Password field. I tried updating the ldap.attrmap, and it still didn't store it. When I tried the control:User-Password =~ /regex/, there was nothing to match it to. Thanks, - -- Kevin Ehlers Network Engineer University of Oregon -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyHuFEACgkQ0l216NgIDrys/QCfUg8v3U3ZObjpS7G6FswGkaH2 5uoAoIC3dFLS1cXNrAdnEZ/sYjvZElIZ =0f4H -----END PGP SIGNATURE-----