Re: MS-CHAP nt-lnPasswords on LDAP

Sat, 27 Apr 2002 02:34:58 -0700 

>Dear Alan DeKok,

>For  example  you  may  want  to  allow  your users to use PAP, CHAP >and
>MS-CHAP.  In this case you will store cleartext password. Somehow >during
>authorization  it should be decided either to use local, chap or ms-chap
>authentication.  In case of ms_chap cleartext password should be changed
>to  NT-Password or LM-Password and if we have LM-Password or <NT-Password
>we can use MS-CHAP as an Auth-Type. This is exactly what >rlm_mschap does
>for authorize().


OK,

The at least I figured out what mschap is doing in the authorization
section.
And that it schouldnt be there, because otherwise it will take my crypt
userPAssowrd and hash it as if it where a cleartext-password.
This of course doesnt make mutch sense, and wil always result in rejecting
the user. I check with a Cleratext password in my userPassword attribute and
it works fine.

Of course, that i don`t want cleartest password!


So I took mschap out of the authorisation section.
And now it tells me there would be no LM /NT password configured, even
though two rows above in the debug it says adding NT-PAssword = ntPassword.
:-(

NT-Password is in the Dictonary file mapped to 1057 and in the sources
(include/radius.h) PW_NT_PASWORD is defined --> 1057

In rlm_mschap.c It checks for PW_NT_PASWWORD.

At least thet is what it looks like for me who doesnt have a bit of
programing expierience.

Still somewhere the NT-Password value seems to get lost!
Or is it of the wrong type??

I use the samba.schema from the samba 2.3a .

============================================

rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value
57D583AA46D571502AAD4BB7AEA09C70 & op=11
rlm_ldap: Adding lmPassword as LM-Password, value
22124EA690B83BFBAAD3B435B51404EE & op=11
rlm_ldap: user user authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok
    users: Matched DEFAULT at 178
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type MS-Chap
auth: type "MS-CHAP"
modcall: entering group authenticate
rlm_mschap: No LM/NT password configured. Check authorization.
  modcall[authenticate]: module "mschap" returns invalid









- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to