MSCHAPV2 + OpenLDAP

Mon Aug 10 19:10:40 CEST 2020

Am 03.08.20 um 20:04 schrieb Клеусов Владимир Сергеевич via Freeradius-Users:
> cleartext is not suitable.
sure, and not needed either.
> Is there an instruction for enabling nthash in openldap ?
In principle, yes -- but be careful. The ancient NTLM Hash is pretty close to cleartext in 2020,
so make sure nobody steals the hash.

1. Create an attribute conataining NTLMHash in your OpenLDAP schema, named e.g. MyNTPassword
2. Store your NT-hashed passwords there
3. In mods-available/ldap, there's already a well-prepared config line for you in the update{} section
    starting with control:NT-Password. On the right hand's side of this assignment, adjust the LDAP
    attribute Name e.g. to MyNTPassword an uncomment the line

The result looks similar to:

ldap {
         [...]
         update {
                 control:NT-Password             := 'MyNTPassword'
                 [...]
         }
	[...]
}

FR will pull the NTLM Hash from LDAP and perform the server side of the MS-CHAP authentication itself,
no Windows server needed.

HTH, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5391 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200810/55f6ce9b/attachment-0001.bin>