LDAP/MSCHAP

Gary Gatten Ggatten at waddell.com
Fri Nov 11 02:29:43 CET 2011


I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does.  I don't think one *needs* a cleartext password, but does need some way to compare apples-to-apples.  That said, I don't know the inner workings of all the auth protocols involved here so I could be way off.  Something tells me if it were easy/possible, Mr. DeKok would have likely written the plugin by now.

----- Original Message -----
From: Sven Hartge [mailto:sven at svenhartge.de]
Sent: Thursday, November 10, 2011 06:18 PM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Re: LDAP/MSCHAP

"Sallee, Stephen (Jake)" <Jake.Sallee at umhb.edu> wrote:

> Please forgive the interjection, but does anyone know of a helper
> module like ntlm_auth that would work with LDAP, seems like such a
> tool would make questions like this a non-issue.

No, will not work. You can't transform the normally used hashes back
into a cleartext password. (This is kind of the whole point of a hash.)

As long you don't have any means to provide FreeRADIUS with a cleartext
password or the NT/LM-Hash, you are doomed.

ntlm_auth just offloads the whole Challenge-Response exchange from the
RADIUS server to the ActiveDirectory (as far as I understand it) using
the ntlm_auth binary from Samba. Again: the AD will have to know the
cleartext password in some way (either encrypted or somehow
"pre-hashed") to make this work. (Don't know the specifics, I am a Unix
guy, the only Windows near me is on my gaming computer.)

Grüße,
S°

-- 
Sigmentation fault. Core dumped.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>





More information about the Freeradius-Users mailing list