Hello,
FreeRADIUS has 2 mechanisms - authorization and authentication.
Let me explain how this mechanism SHOULD work together in few examples.
If you store passwords in LDAP, you should retrieve this passwords
during AUTHORIZATION and add this passwords to configuration items. That
is, LDAP module SHOULD have authorize() function. If LDAP stores
cleartext passwords authorize() should add PW_PASSWORD to
request->config_items and use native 'Local' authentication. If you have
NTLM encoded passwords in LDAP (like in case of Microsoft) you should
add PW_LM_PASSWORD/PW_NT_PASSWORD and use 'mschap' authentication
(mschap already support this attributes in current EXP CVS branch).
that is:
authorize {
ldap -> retrieves PW_LM_PASSWORD/PW_NT_PASSWORD and sets
Auth-Type to MS-CHAP
}
authenticate {
mschap -> authenticates user with PW_LM_PASSWORD/PW_NT_PASSWORD
}
This authentication will support PAP, MS-CHAP and MS-CHAPv2 (but not
CHAP, because we do not have cleartext password)
In case you store cleartext password in LDAP you will be able to use
PAP, CHAP, MS-CHAP and MS-CHAPv2 by doing:
authorize {
ldap -> retrieves PW_PASSWORD and sets Auth-Type to Local
mschap -> builds PW_LM_PASSWORD/PW_NT_PASSWORD from PW_PASSWORD
and resets Auth-Type to MS-CHAP if NAS requests
MS-CHAP or MS-CHAP v2
}
authenticate {
local -> authenticates user with PW_PASSWORD if case of
PAP or CHAP
mschap -> authenticates user with PW_LM_PASSWORD/PW_NT_PASSWORD
in case of MS-CHAP or MS-CHAP v2
}
If you use LDAP to authenticate user (that is to connect to LDAP dn with
credentials given by NAS) like:
TZ> 1. Look up the complete dn of the given uid
TZ> 2. Try an ldap-connect using the dn and the passwort given.
Only in this case you should use LDAP for authentication and have
authenticate() function. In this case there is no way to support another
authentication schemas, like CHAP or MS-CHAP because you have no way to
store cleartext (or NT/LM encoded, crypt'ed, etc) password. You will
only be able to do a cleartext (PAP) authentication.
In both cases I see no reasons for doing any password prefixes.
P.S. For a while it looks only rlm_mschap to support this
authorize/authenticate philosophy, but I believe other modules (like
rlm_unix) will be patched to do both authorization (to create
Crypt-Password attribute from cleartext password or from passwd file)
and authentication (to authenticate via crypt'ed password retrieved from
another module during authorization).
--
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
