ntlm and mysql

[Phil Mayers]

On 11/05/12 11:40, Paolo Barbato wrote:
> On a test deployment I've both mysql and ntlm (AD) configured.

By "ntlm" you mean the "mschap" module calling the "ntlm_auth" helper, yes?

>
> If I use EAP no problem to authenticate users on both backend.
>
> But…in the process to use a Cisco WLC captive portal I've verified that
> only sql works.

WLC captive portal sends "pap" requests. Therefore, the "mschap" module 
doesn't (can't) process them.

You can create a simple "exec" module which calls "ntlm_auth" in 
username/password mode, like so:

modules/papntdom:

exec papntdom {
   wait = yes
   program = "/usr/bin/ntlm_auth 
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} 
--password=%{User-Password}"
}

You then need to arrange for the "papntdom" module to be called for 
users who aren't found in SQL. For example:

sites-enables/default:

authorize {
   ...
   sql
   if (notfound) {
     # if not found in SQL
     if (User-Password) {
       # and it's a PAP request
       update control {
         Auth-Type = PAPNTDOM
       }
     }
   }
   ...
}

authenticate {
   Auth-Type PAP {
     # handles users in SQL w/ Cleartext-Password
     pap
   }
   Auth-Type PAPNTDOM {
     # handles users in Active Directory
     papntdom
   }
}

Obviously you will need to modify this policy as appropriate, to meet 
your needs and match the other modules you are using.