Dear 3APA3A,
3APA3A> No, you failed in something else. There is no way to
retrieve
3APA3A> LM-Password or NT-Password from Windows 2000 Active Directory via
LDAP.
There is!
As I found out, you can create the attribute "userPassword" in W2k-AD
and set it with a NT-Password hash as it comes from smbencrypt or
pwdump.
I guess, that this attribute already is defined in the AD-scheme
because I could easily create it as Administrator (using the tool
"ldapbrowser"). In contrast I couldn't create any other attribute
like "myAttrib" i.e.. Additionally the type of "userPassword" was
automatically set to "BINARY" - regardless whether the type originally
was set to "String" during the creation of the attribute.
Next, I mapped this attribute to "NT-Password" in ldap.attrmap file
(as check- and replyitem) and placed "mschap" behind "ldap" in the
authorize{} -section of radiusd.conf. Using/setting Auth-Type to
MS-CHAP results now in a successfull authorization and authentication.
Unfortunately only with MS-CHAP, not with MS-CHAPv2.
But this is a different problem whitch I'll describe in another mail.
3APA3A> You can set alternate LDAP server, retrieve passwords from Windows
2000
3APA3A> Domain Controller (for example via pwdump2/pwdump3) and put
these
3APA3A> passwords into your LDAP.
I think, in this case it's better to place the hashes in the AD
instead of using another LDAP server. Automating the necessary steps
should be manageable (I hope).
Mdd> (Believe me, I read the doc-files more than once).
Mdd> Do you know whether there is a possibility to retrieve the
W2k-passwords
Mdd> via ldap at all?
Mdd> Or is that another case of MS-special solution?
3APA3A> As you was told already (but probably didn't red this answer)
you can
Right. I don't know which answer you mean.
3APA3A> use MS IAS (Microsoft implementation of RADIUS) and use
FreeRADIUS as
3APA3A> proxy to IAS.
I still hope to get around that.
Regards,
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
