Passwords for PEAP from AD-based LDAP

Hugh Messenger hugh at alaweb.com
Thu Jul 12 18:23:32 CEST 2007


Alan DeKok said:
>Robert E. Toense wrote:
>> Yes, I could use ntlm_auth and probably get it working, but this is 
>> supposed to be LDAP-based, not SAMBA.  The LDAP could move to a 
>> different environment.  Use of standards is important to us.

Robert ... unfortunately, Microsoft doesn't take standards as seriously as
you or I do.  When they say something is "standards based", what they
actually mean is they cherry picked the parts they liked, tweaked other
parts to make it work with Windows, and flat out made up the rest as they
went along.

Almost any "standards based" interoperability with Windows will require that
you sacrifice some of your principles.  In this case that sacrifice is
ntlm-auth.  Accept it into your life.  Think it as the Yin to AD's LDAP
Yang.  If the feelings of violation don't get better over time, do what I do
and scrub your hands until they bleed every time you start thinking about
Microsoft too hard.

Or, as Alan said:

>   1) Ask Microsoft to expose the password through LDAP.

LMAO!!

Alan, good to see you've recovered your sense of humor.  Things were getting
way too serious for a while, there.

>   Alan DeKok.

   -- hugh





More information about the Freeradius-Users mailing list