Freeradius in an AD environment on opensuse server

Alan DeKok aland at
Thu Aug 14 21:32:03 CEST 2008

Maurizio Cimaschi wrote:
> Ivan Kalik wrote:
>> You can't get cleartext password from AD, but you can extract encrypted
>> (nt hashed) password as NT-Password with ldap. You will be able to
>> authenticate pap and mschap requests with that.
> I was lurking in the attribute list of the AD:
> There's a particoular attribute that may do the trick: "DBCS-Pwd
> Attribute". It is said to be the account's LAN manager password.

  Cute... but not good enough for doing MS-CHAP.  MS-CHAP has fields for
LAN manager passwords... which are usually blank.  The passwords are
pretty much always NT-hashed passwords.

> Since rlm_mschap should be able to authenticate using one of clear-text
> pwd, LAN mgr pwd and NT pwd this should be enought.

  The *client* has to supply the MS-CHAP magic using the LAN-manager
password.  Since the client always chooses NT-hashed passwords... using
LAN manager passwords is not possible.

> Via ldap.attrmap should be possible to map that attribute to the radius
> attribute LM-Password.


> What do you think ?

  Nice, if the clients did LM passwords.  Which they don't, unfortunately.

  Still, it's worth adding to the default ldap.attrmap.

  Alan DeKok.

More information about the Freeradius-Users mailing list