LDAP Data Mangling

Alan DeKok aland at deployingradius.com
Fri Sep 3 23:30:02 CEST 2010

Kevin Ehlers wrote:
> Is it possible to modify attributes returned from ldap?  E.g. We're
> trying to do wpa-enterprise with peap-mschapv2.  We store our nt hash
> passwords as "{nthash}<hash>" instead of "{nt}<hash>".  It looks like
> the mschap module doesn't auto-detect the hash-type correctly, and says
> that it never received a valid password hash.  All authentication fails
> at this point.

  The PAP module is the one which does the password mangling.

> We store it as {nthash} because that's what our other radius servers
> (radiator) expect to see.

  I can add the {nthash} format for 2.1.10.  In the mean time, try
putting this into the "authorize" section, just before the "pap" module:

	if (control:User-Password =~ /^{nthash}(.*)/) {
		update control {
			User-Password := "{nt}%{1}"

  Alan DeKok.

More information about the Freeradius-Users mailing list