Binding to LDAP as user, rather than anonymous bind
I've got wireless equipment that can relay MS-CHAP-v2 requests to my FreeRADIUS box from Windows XP clients. I see the radius box making LDAP requests to the LDAP server (over SSL), binding as the anonymous user, and searching for the target user. So far so good. The problem is, our password information is not kept in LDAP, so there is no attribute to compare against. Our LDAP servers pass the authentication request off to Kerberos. The only way to authenticate via LDAP is to bind as the target user with the target password, rather than an anonymous user. Can FreeRadius extract the password out of the MS-CHAP-v2 request, and use it to bind against LDAP over SSL? I would much rather not have to tackle Kerberos, as it looks much more complicated. Thanks for any help, Norman Elton
Norman Elton <normelton@gmail.com> wrote:
Can FreeRadius extract the password out of the MS-CHAP-v2 request, and use it to bind against LDAP over SSL?
No. MS-CHAPv2 is designed to make that impossible.
I would much rather not have to tackle Kerberos, as it looks much more complicated.
If you can't obtain the clear-text (or NT) password from LDAP, then what youy're trying to do is impossible. MS-CHAP is designed to make it impossible to get the clear-text password from the MS-CHAP data. Kerberos is designed to never give the password to the application. FreeRADIUS sits in the middle, and gets locked out by both ends. Alan DeKok.
participants (2)
-
Alan DeKok -
Norman Elton