On Aug 3, 2017, at 12:33 PM, mr mh1113 <mrmh1113@gmail.com> wrote:
Well, it's not as easy as one might think.
I am getting this error: NT-Password found but incorrect length, expected 16 bytes got 40 bytes. Authentication may fail
If you want it to "just work" your password value should be a binary type with no header. If you'd rather work around your issues... ldap if (control:NT-Password =~ /^{.*}(.*)/) { update control { NT-Password := "0x%{1}" } }
MD4 hash has 32 characters, it's hex number so that means 2 characters = 1 byte. 32 / 2 = 16 bytes and this "length" is expected. Another 8 bytes (32 + 8 = 40) is header {nthash} with curled brackets
The rest of the server knows nothing about LDAP's predilection for hash prefixes.
including. I've tried {nt} header and blank header with no success. It seems that FreeRadius interprets value in my custom LDAP attribute as plain text not hex number. LDAP attribute is type "text".
Yes.
Custom LDAP attribute contains text value E217DE3A51C1329B751A28B9792F42DB.
No, it should contain the binary value.
There was a thread about similar problem https://github.com/FreeRADIUS/freeradius-server/issues/679 I use FreeRadius 3.0.4 from CentOS 7 with backported fixes from upstream.
I'd strongly recommend using 3.0.15. http://packages.networkradius.com/centos/7/repo/ -Arran