Jon P. Giza wrote:
I doubt it will be possible to remove that. Is it possible to authenticate
You can't unfortunately use attr_rewrite or the "users" file to manipulate "config" AVPs. You may be able to use the exec module to do so: modules { exec stripnonhex { wait = yes input_pairs = config output_pairs = config program = "/path/to/stripnonhex.sh" } } ...with "stripnonhex.sh" being pretty simple: #!/bin/sh newnt=`echo $NT_PASSWORD | perl -pe 's/[^[:xdigit:]]//g'` echo "NT-Password := $newnt" ...now I'm not certain that the exec module parses the output in exactly that way, namely whether the NT-Password that the exec module emits will overwrite the existing one in "config" items, or whether the ":=" does nothing in this context, so test it first. If it doesn't work you may have to map the ldap to Bad-NT-Password or something and change the script to read BAD_NT_PASSWORD. Failing that, you could patch rlm_mschap - in my 1.0.5 source tree, the relevant lines are ~1056, where you'd need to loosen the 32 character check: 1054 if (nt_password) { 1055 if ((nt_password->length == 16) || 1056 ((nt_password->length == 32) && change to: 1054 if (nt_password) { 1055 if ((nt_password->length == 16) || 1056 ((nt_password->length >= 32) && ...and the hex2bin function further up to ignore rather than exit on non-hex characters: 73 int i; 74 75 for (i = 0; i < len; i++) { 76 if( !(SOMESTUFF) || 77 !(SOMESTUFF)) 78 break; 79 szBin[i] = ((c1-letters)<<4) + (c2-letters); ...change that to: 73 int i,j; 74 75 for (i = 0, j = 0; i < len; i++) { 76 if( !(SOMESTUFF) || 77 !(SOMESTUFF)) 78 continue; 79 szBin[j++] = ((c1-letters)<<4) + (c2-letters); As always, no warranty it might eat your cat etc.
to this ldap database in another way? I thought I had read of a way to bind to the ldap server as the user we are trying to authenticate, but I can not find any good info on this.
You can do that, but since an ldap simple bind requires the plaintext password it only works with PAP requests, not MS-CHAP.