authenticate machine accounts with ntlm_auth

Stefan Winter freeradius-users-ml at
Mon Aug 1 08:09:02 CEST 2005


> It sounds to me like you're saying this is a server-side issue.  Since AD
> is available via LDAP, why couldn't this FreeRadius install just use
> rlm_ldap to access the machine account info in AD?

No. There is one important difference between plain LDAP and AD: an AD server 
will _never_ give away the user's (machine's) password. Never. The closest 
thing you can get is a MS-CHAP challenge that is built from the password, but 
for some reason that doesn't do the trick.

> The Microsoft side of things isn't my greatest strength, least of all the
> AD/LDAP stuff, but it seems as though this *should* work.

It would, if AD would give you the password. But it doesn't.


Stefan Winter


Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: stefan.winter at     tél.:     +352 424409-1               fax:      +352 422473

More information about the Freeradius-Users mailing list