MS-CHAP nt-lnPasswords on LDAP

[Andreas Grote]

Hi, i am trying to get MS-Cha working with LDAP, and yes I read the Whole   mailinglist up and down. But I couldn`t find a proper answer for this   problem. Actually I find the postings give different suggesions and it   seems like nobody realy knows how to configure this and is just giving good   guesses. Proof me wrong please!   I posted some Infos below.   ---------------------------------------------- If I uncomment "etc/smbpasswd" (in the moldulesection for mschap in the   radius.conf) and use the sambapasswords (that happen to be on the machine also), it   works just fine. But with the attempt to retrieve the (NT-LN) passwords with ldap it recects   without an error message?? Just saing "modcall[authenticate]: module "mschap" returns reject"   ================= debug ======================   rad_recv: Access-Request packet from host 192.168.168.111:1024, id=14,   length=108 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do.  Sleeping until we see a request. Thread 1 handling request 0, (1 handled so far)         User-Name = "user"         MS-CHAP-Challenge = 0xaeeb7b7ea94305a4a20b12c12858587e         MS-CHAP2-Response =   0x010051fba451d02d5b08c1ae0c07740de2040000000000000000829b7aa6fd5a35e9f0d2a   076ce705faa1b4768cd941b1dab modcall: entering group authorize   modcall[authorize]: module "preprocess" returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for user radius_xlat:  '(uid=user)' radius_xlat:  'dc=uni-lueneburg,dc=de' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.168.45:389, authentication 0 rlm_ldap: bind as cn=admin,dc=uni-lueneburg,dc=de/12345678 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=uni-lueneburg,dc=de, with filter   (uid=user) rlm_ldap: Added password 57D583AA46D571502AAD4BB7AEA09C70 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusdarfdas as darfdas, value 1 & op=11 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=11 rlm_ldap: Adding ntPassword as NT-Password, value   57D583AA46D571502AAD4BB7AEA09C70 & op=11 rlm_ldap: Adding lmPassword as LM-Password, value   22124EA690B83BFBAAD3B435B51404EE & op=11 rlm_ldap: user user authorized to use remote access ldap_release_conn: Release Id: 0   modcall[authorize]: module "ldap" returns ok     users: Matched DEFAULT at 178   modcall[authorize]: module "files" returns ok   modcall[authorize]: module "mschap" returns ok modcall: group authorize returns ok   rad_check_password:  Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group authenticate   modcall[authenticate]: module "mschap" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request         ===============radius.conf=======================                                 authorize {    ldap  files  mschap     }                authenticate {           mschap   }   =================user=========================   DEFAULT Auth-Type := MS-Chap DEFAULT  Fall-Through = no       ================lap conifg====================   ldap  {   server = "192.168.168.45"   identity = "cn=admin,dc=donknow,dc=de"   password = secret   basedn = "dc=uni-lueneburg,dc=de"   #authtype = "MS-CHAP"   filter = "(uid=%u)"   start_tls = no   # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"   # profile_attribute = "radiusProfileDn"   #access_group = "cn=clients,ou=dialup,o=My Org,c=UA"   #access_attr = "displayName"     #access_group = "dc=donknow,dc=de"     dictionary_mapping = ${raddbdir}/ldap.attrmap   # ldap_cache_timeout = 120   # ldap_cache_size = 0   ldap_connections_number = 5   # password_header = "{clear}"   password_attribute = userPassword (I also tried ntPassword)     # groupname_attribute = cn   # groupmembership_filter =   "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Group   OfUniqueNames)(uniquemember=%{Ldap-UserDn})))"   timeout = 4   timelimit = 3   net_timeout = 1  }