LDAP/MSCHAP

Sven Hartge sven at svenhartge.de
Fri Nov 11 01:18:25 CET 2011


"Sallee, Stephen (Jake)" <Jake.Sallee at umhb.edu> wrote:

> Please forgive the interjection, but does anyone know of a helper
> module like ntlm_auth that would work with LDAP, seems like such a
> tool would make questions like this a non-issue.

No, will not work. You can't transform the normally used hashes back
into a cleartext password. (This is kind of the whole point of a hash.)

As long you don't have any means to provide FreeRADIUS with a cleartext
password or the NT/LM-Hash, you are doomed.

ntlm_auth just offloads the whole Challenge-Response exchange from the
RADIUS server to the ActiveDirectory (as far as I understand it) using
the ntlm_auth binary from Samba. Again: the AD will have to know the
cleartext password in some way (either encrypted or somehow
"pre-hashed") to make this work. (Don't know the specifics, I am a Unix
guy, the only Windows near me is on my gaming computer.)

Grüße,
S°

-- 
Sigmentation fault. Core dumped.




More information about the Freeradius-Users mailing list