Yet another PEAP/LDAP Question
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 26 00:54:09 CET 2006
Jon P. Giza wrote:
> I doubt it will be possible to remove that. Is it possible to authenticate
You can't unfortunately use attr_rewrite or the "users" file to
manipulate "config" AVPs. You may be able to use the exec module to do so:
modules {
exec stripnonhex {
wait = yes
input_pairs = config
output_pairs = config
program = "/path/to/stripnonhex.sh"
}
}
...with "stripnonhex.sh" being pretty simple:
#!/bin/sh
newnt=`echo $NT_PASSWORD | perl -pe 's/[^[:xdigit:]]//g'`
echo "NT-Password := $newnt"
...now I'm not certain that the exec module parses the output in exactly
that way, namely whether the NT-Password that the exec module emits will
overwrite the existing one in "config" items, or whether the ":=" does
nothing in this context, so test it first. If it doesn't work you may
have to map the ldap to Bad-NT-Password or something and change the
script to read BAD_NT_PASSWORD.
Failing that, you could patch rlm_mschap - in my 1.0.5 source tree, the
relevant lines are ~1056, where you'd need to loosen the 32 character check:
1054 if (nt_password) {
1055 if ((nt_password->length == 16) ||
1056 ((nt_password->length == 32) &&
change to:
1054 if (nt_password) {
1055 if ((nt_password->length == 16) ||
1056 ((nt_password->length >= 32) &&
...and the hex2bin function further up to ignore rather than exit on
non-hex characters:
73 int i;
74
75 for (i = 0; i < len; i++) {
76 if( !(SOMESTUFF) ||
77 !(SOMESTUFF))
78 break;
79 szBin[i] = ((c1-letters)<<4) + (c2-letters);
...change that to:
73 int i,j;
74
75 for (i = 0, j = 0; i < len; i++) {
76 if( !(SOMESTUFF) ||
77 !(SOMESTUFF))
78 continue;
79 szBin[j++] = ((c1-letters)<<4) + (c2-letters);
As always, no warranty it might eat your cat etc.
> to this ldap database in another way? I thought I had read of a way to bind
> to the ldap server as the user we are trying to authenticate, but I can not
> find any good info on this.
You can do that, but since an ldap simple bind requires the plaintext
password it only works with PAP requests, not MS-CHAP.
More information about the Freeradius-Users
mailing list