authenticate machine accounts with ntlm_auth

Stefan Winter freeradius-users-ml at stefan-winter.de
Mon Aug 1 08:09:02 CEST 2005


Hi,

> It sounds to me like you're saying this is a server-side issue.  Since AD
> is available via LDAP, why couldn't this FreeRadius install just use
> rlm_ldap to access the machine account info in AD?

No. There is one important difference between plain LDAP and AD: an AD server 
will _never_ give away the user's (machine's) password. Never. The closest 
thing you can get is a MS-CHAP challenge that is built from the password, but 
for some reason that doesn't do the trick.

> The Microsoft side of things isn't my greatest strength, least of all the
> AD/LDAP stuff, but it seems as though this *should* work.

It would, if AD would give you the password. But it doesn't.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: stefan.winter at restena.lu     tél.:     +352 424409-1
http://www.restena.lu               fax:      +352 422473




More information about the Freeradius-Users mailing list