Binding to LDAP as user, rather than anonymous bind

Alan DeKok aland at ox.org
Thu Mar 23 23:43:15 CET 2006


Norman Elton <normelton at gmail.com> wrote:
> Can FreeRadius extract the password out of the MS-CHAP-v2 request,  
> and use it to bind against LDAP over SSL?

  No.  MS-CHAPv2 is designed to make that impossible.

> I would much rather not have to tackle Kerberos, as it looks much
> more complicated.

  If you can't obtain the clear-text (or NT) password from LDAP, then
what youy're trying to do is impossible.

  MS-CHAP is designed to make it impossible to get the clear-text
password from the MS-CHAP data.  Kerberos is designed to never give
the password to the application.  FreeRADIUS sits in the middle, and
gets locked out by both ends.

  Alan DeKok.




More information about the Freeradius-Users mailing list