ntlm_auth improvements

Matthew Newton mcn4 at leicester.ac.uk
Tue Feb 24 17:43:02 CET 2015


On Tue, Feb 24, 2015 at 03:56:46PM +0000, Phil Mayers wrote:
> On 24/02/15 15:54, Alan DeKok wrote:
> >Arran and I have spent a fair bit of time the last 3 months hammering
> >the daylights out of 3.0.x, to be sure it’s OK.  It now builds
> >cleanly under 3 different static analysis tools.  It has a suite of
> >regression tests.  And it’s running in production in multiple
> >environments.
> I can totally understand wanting to get 3.0.x stable. If it's
> disruptive, don't add it.

Hopefully not - it essentially (in its current form) adds a new
option to choose the ntlm/mschap auth type, and only uses the new
code if that is set to the right value. Otherwise it calls
ntlm_auth exactly as before.

I've had about 4.6 million auths through the do_auth_wbclient code
across the last week, and still going strong, so hopefully it's
good enough :).

The current pull request isn't quite ready to merge as-is, though
the code is essentially the same. I added a new config option
"auth_method" to choose the method that mschap should use for auth
(rather than the current heuristic of "is ntlm_auth defined"). So
the question is whether that is the best way to set the method,
and whether the defaults are right.


I guess this also all depends on what the timescales for FR3.1
are, too!

It's possible that the best way is to only the minimal config
option now (which might not be the tidiest or most logical), and
then completely revisit and tidy up the way mschap is configured
for FR 3.1 or, more likely, FR 4.



Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Devel mailing list