LDAP/MSCHAP

Fajar A. Nugraha list at fajar.net
Fri Nov 11 03:56:17 CET 2011


On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten <Ggatten at waddell.com> wrote:
> I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does.  I don't think one *needs* a cleartext password, but does need some way to compare apples-to-apples.

That's exactly what Alan is saying:
"
store your passwords in the LDAP as NT-Password or LM-Password
"

... although in my expreiments NT-Password alone is enough, but
LM-Password alone is useless.

How can you create NT-Password? One way to do that is by hijacking the
process where user enters password as plaintext (e.g. from the
password prompt when user change their password) and use smbencrypt
(part of freeradius)

Where do you store NT-Password in LDAP? In ntPassword or
sambaNtPassword LDAP attribute (or any other attribute of your choice,
as long as you remember to update raddb/ldap.attrmap as well)

If you have NT-Password, then you don't need user's cleartext password
anymore, and you don't even need any helper tool.

-- 
Fajar




More information about the Freeradius-Users mailing list