Unable to authenticate to 10.5.4 open directory

Nicolas Goutte nicolas.goutte at extragroup.de
Sat Aug 30 11:19:20 CEST 2008

Am 30.08.2008 um 09:13 schrieb Thomas von Eyben:

> On Fri, Aug 29, 2008 at 11:57 PM, Ivan Kalik <tnt at kalik.net> wrote:
>>> modcall: entering group MS-CHAP for request 6
>>>  rlm_mschap: No User-Password configured.  Cannot create LM- 
>>> Password.
>>>  rlm_mschap: No User-Password configured.  Cannot create NT- 
>>> Password.
>>>  rlm_mschap: Told to do MS-CHAPv2 for testuser at bric.dk with NT- 
>>> Password
>>>  rlm_mschap: No NT-Password configured. Trying DirectoryService  
>>> Authentication.
>> What is the password entry for this user in ldap? Is it encrypted?
>> Ivan Kalik
>> Kalik Informatika ISP
> The password are stored in the "default OS X Server way" for a  
> shared domain.
> This is in what Apple calls Open Directory: meaning that the LDAP
> stores a pointer (aka a password slot) which references the actual
> password which is stored in a database seperate from the LDAP.
> Details can be found on page 41 in this document:
> http://images.apple.com/server/macosx/docs/ 
> Open_Directory_Admin_v10.5.pdf
> This mechanism is what is working "out of the box".
> Earlier on I made a test environment where this worked - the
> difference being the test environment was a server and an access point
> communicating directly. Now - the real scenario - the server is
> working in what I think is called proxy mode, the authentication
> requests does not originate directly from the access point, but is
> "relayed" (my best description) via the Eduroam DK top level servers.
> NB.: I suspect that the LDAP is not even queried, I am not yet able to
> find any clues in the logfiles indicating anything else :(

All this does not seem to indicate that neither a NT password (a MD4  
hash of the UTF-16LE encoding of the password) nor a cleartext  
version of the password (so that the NT password can be calculated)  
is available for processing MSCHAP.

Page 41 would imply (at least for me) that MD5 hashes are available,  
which cannot be used for MSCHAP, as a hash cannot be "un-encrypted".

> - TvE
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html

Have a nice day!

Nicolas Goutte

extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841

More information about the Freeradius-Users mailing list