I am experiencing the following oddness I am hoping someone can shed some light on... We are using FR 2.X and LDAP for MSCHAPv2 authentication. We are storing the NT-Password Hash within LDAP, utilizing ldap.attrmap to map our LDAP variable to "NT-Password" So when an MSCHAPv2 based Auth comes in all is well, the mschap module sees mschap attributes, sets Auth to MSCHAP. rlm_ldap dives into LDAP and locates and maps "NT-Password" properly. All is well.... ALMOST... For a few lucky accounts this process comes to a halt, upon inspection we noticed that the NT-Password being copied by rlm_ldap was being truncated [From Debug output] rlm_ldap: unicodePWD -> NT-Password == 0x6f183bc46904 This is super short... Look at a successful auth rlm_ldap: unicodePWD -> NT-Password == 0xb31b12345aca32aaa607430cb7acdcb1 It appears though that there may be a bug in the string copy function of the rlm_ldap function (or whatever is responsible for copying the attributes from LDAP to Server core for MSCHAP challenge compare) We noticed the truncation upon "00" and "3d" in the NT-Password hash (so if the has was abc12300 or abc1233d all you would see is abc123) Your input is greatly appreciated. Thank you Larry
Larry Ross wrote:
It appears though that there may be a bug in the string copy function of the rlm_ldap function (or whatever is responsible for copying the attributes from LDAP to Server core for MSCHAP challenge compare) We noticed the truncation upon "00" and "3d" in the NT-Password hash (so if the has was abc12300 or abc1233d all you would see is abc123)
The OpenLDAP API assumes that the returned values are text. If you want to store *binary* data, then FreeRADIUS has to use a different API to query for the data. And *before* it does the query it has to know which values are binary, and which ones are text. Or, you can do what everyone else does. Store the NT-Password hash as a string of 32 hex numbers. Storing it as a binary blob of 16 bytes just causes problems. Alan DeKok.
Hmm interesting, how were you able to divine that that is how we are storing the has values... -----Original Message----- From: freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, August 20, 2009 11:59 PM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote:
It appears though that there may be a bug in the string copy function of the rlm_ldap function (or whatever is responsible for copying the attributes from LDAP to Server core for MSCHAP challenge compare) We noticed the truncation upon "00" and "3d" in the NT-Password hash (so if the has was abc12300 or abc1233d all you would see is abc123)
The OpenLDAP API assumes that the returned values are text. If you want to store *binary* data, then FreeRADIUS has to use a different API to query for the data. And *before* it does the query it has to know which values are binary, and which ones are text. Or, you can do what everyone else does. Store the NT-Password hash as a string of 32 hex numbers. Storing it as a binary blob of 16 bytes just causes problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't want to receive any email form freeradius-users@lists.freeradius.org . plss --- On Fri, 8/21/09, Alan DeKok <aland@deployingradius.com> wrote: From: Alan DeKok <aland@deployingradius.com> Subject: Re: LDAP MSCHAP error To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Friday, August 21, 2009, 11:35 PM Larry Ross wrote:
Hmm interesting, how were you able to divine that that is how we are storing the has values...
C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't want to receive any email form freeradius-users@lists.freeradius.org How can i do for this? Pls help.
Mai Khai Hung wrote:
I don't want to receive any email form freeradius-users@lists.freeradius.org
How can i do for this?
Read the URL at the bottom of EVERY message on the list. It's not hard.
Pls help.
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...) So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation. So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable. With that strategy in mind I have a couple questions. 1: Sanity check. Before I begin down this path, does this sound plausible? 2: Suggestions or samples would be greatly appreciated. Thank you Larry -----Original Message----- From: freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, August 21, 2009 11:35 PM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote:
Hmm interesting, how were you able to divine that that is how we are storing the has values...
C programming 101. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Larry Ross wrote:
LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...)
As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C.
So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation.
Yes. "00". This is C 101.
So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable.
That might work. Alan DeKok.
passwords that are effected do not contain 00 FYI -----Original Message----- From: freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 24, 2009 11:03 AM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote:
LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...)
As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C.
So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation.
Yes. "00". This is C 101.
So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable.
That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Also any ideas as to how I may insert the variable from perl would be nice. -----Original Message----- From: freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, August 24, 2009 11:03 AM To: FreeRadius users mailing list Subject: Re: LDAP MSCHAP error Larry Ross wrote:
LOL, K. Just found it interesting that with so little data you were able to devine our schema. The problem here is our LDAP tree will not or cannot change (political reasons... Long story sucks for me, but as they say wish in one hand and poop in the other, get back to me when you figure out which on fills first...)
As I said... it's C programming 101. It's trivial for anyone who's spent 10 minutes with C.
So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing is it works for 95% of our users, it seems there is a character combo that causes the truncation.
Yes. "00". This is C 101.
So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP modules) to perform the LDAP query and then convert the data to ASCII and insert the converted String Data into the NT-Password variable.
That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Larry Ross -
Mai Khai Hung