Yet another PEAP/LDAP Question

Phil Mayers p.mayers at imperial.ac.uk
Thu Jan 26 00:54:09 CET 2006


Jon P. Giza wrote:
> I doubt it will be possible to remove that.  Is it possible to authenticate

You can't unfortunately use attr_rewrite or the "users" file to 
manipulate "config" AVPs. You may be able to use the exec module to do so:

modules {
   exec stripnonhex {
     wait = yes
     input_pairs = config
     output_pairs = config
     program = "/path/to/stripnonhex.sh"
   }
}

...with "stripnonhex.sh" being pretty simple:

#!/bin/sh

newnt=`echo $NT_PASSWORD | perl -pe 's/[^[:xdigit:]]//g'`
echo "NT-Password := $newnt"

...now I'm not certain that the exec module parses the output in exactly 
that way, namely whether the NT-Password that the exec module emits will 
overwrite the existing one in "config" items, or whether the ":=" does 
nothing in this context, so test it first. If it doesn't work you may 
have to map the ldap to Bad-NT-Password or something and change the 
script to read BAD_NT_PASSWORD.

Failing that, you could patch rlm_mschap - in my 1.0.5 source tree, the 
relevant lines are ~1056, where you'd need to loosen the 32 character check:

    1054         if (nt_password) {
    1055                 if ((nt_password->length == 16) ||
    1056                     ((nt_password->length == 32) &&

change to:

    1054         if (nt_password) {
    1055                 if ((nt_password->length == 16) ||
    1056                     ((nt_password->length >= 32) &&

...and the hex2bin function further up to ignore rather than exit on 
non-hex characters:

73         int i;
74
75         for (i = 0; i < len; i++) {
76                 if( !(SOMESTUFF) ||
77                     !(SOMESTUFF))
78                      break;
79                  szBin[i] = ((c1-letters)<<4) + (c2-letters);

...change that to:

73         int i,j;
74
75         for (i = 0, j = 0; i < len; i++) {
76                 if( !(SOMESTUFF) ||
77                     !(SOMESTUFF))
78                      continue;
79                  szBin[j++] = ((c1-letters)<<4) + (c2-letters);

As always, no warranty it might eat your cat etc.

> to this ldap database in another way?  I thought I had read of a way to bind
> to the ldap server as the user we are trying to authenticate, but I can not
> find any good info on this.  

You can do that, but since an ldap simple bind requires the plaintext 
password it only works with PAP requests, not MS-CHAP.



More information about the Freeradius-Users mailing list