Freeradius in an AD environment on opensuse server
Maurizio Cimaschi
mauri at unixrulez.org
Thu Aug 14 19:29:28 CEST 2008
Ivan Kalik wrote:
> You can't get cleartext password from AD, but you can extract encrypted
> (nt hashed) password as NT-Password with ldap. You will be able to
> authenticate pap and mschap requests with that.
I was lurking in the attribute list of the AD:
http://msdn.microsoft.com/en-us/library/ms675480(VS.85).aspx
There's a particoular attribute that may do the trick: "DBCS-Pwd
Attribute". It is said to be the account's LAN manager password.
Since rlm_mschap should be able to authenticate using one of clear-text
pwd, LAN mgr pwd and NT pwd this should be enought.
Via ldap.attrmap should be possible to map that attribute to the radius
attribute LM-Password.
What do you think ?
More information about the Freeradius-Users
mailing list