Support for other hash (like MD5, SHA1) using MSCHAPv2

Brivaldo Junior brivaldo.junior at ufms.br
Wed Feb 2 15:31:19 CET 2011


   We use OpenLDAP here, and have many users with many fields
  userPassword each one with one hash like, MD5, SHA1, SSHA, SMD5 and
  others. Using PAP, work perfect,
  but, we want to use MSCHAPv2 because work with simple conf (thinking 
 on
  user side) on Windows, MacOSX and sometimes Linux too.

    I read the rlm_mschap.c and see that code use SMB (using directly 
 the
  domain or the ClearText password to generate NTLM encoding or OD of
  Apple, right?), but I need to auth using OpenLDAP, and using this 
 hashes (we have a idP
  using shibboleth with this OpenLDAP too, but not think if it is 
 possible
  to use with auth purpose on FreeRadius).

    Exist an explanation why this isn't exist? or only because isn't
  implemented yet? We think to use PAP code implementation to help our
  modification, of course, with that kind of modification don't 
 represent a problem for the rlm_mschap.c module.


    Our idea is to get ClearText decoded on MSCHAP connection (get this 
 information) and encode using OpenSSL (same
 form used on PAP) to check if hashes are the same of which were 
 obtained from OpenLDAP.


 Regards,
-- 
 Brivaldo Junior/DIGR/NIN



More information about the Freeradius-Devel mailing list