Re: Yet another PEAP/LDAP Question

Wed, 25 Jan 2006 16:03:11 -0800 

Jon P. Giza wrote:

I doubt it will be possible to remove that.  Is it possible to authenticate



You can't unfortunately use attr_rewrite or the "users" file to 
manipulate "config" AVPs. You may be able to use the exec module to do so:


modules {
  exec stripnonhex {
    wait = yes
    input_pairs = config
    output_pairs = config
    program = "/path/to/stripnonhex.sh"
  }
}

...with "stripnonhex.sh" being pretty simple:

#!/bin/sh

newnt=`echo $NT_PASSWORD | perl -pe 's/[^[:xdigit:]]//g'`
echo "NT-Password := $newnt"


...now I'm not certain that the exec module parses the output in exactly 
that way, namely whether the NT-Password that the exec module emits will 
overwrite the existing one in "config" items, or whether the ":=" does 
nothing in this context, so test it first. If it doesn't work you may 
have to map the ldap to Bad-NT-Password or something and change the 
script to read BAD_NT_PASSWORD.



Failing that, you could patch rlm_mschap - in my 1.0.5 source tree, the 
relevant lines are ~1056, where you'd need to loosen the 32 character check:


   1054         if (nt_password) {
   1055                 if ((nt_password->length == 16) ||
   1056                     ((nt_password->length == 32) &&

change to:

   1054         if (nt_password) {
   1055                 if ((nt_password->length == 16) ||
   1056                     ((nt_password->length >= 32) &&


...and the hex2bin function further up to ignore rather than exit on 
non-hex characters:


73         int i;
74
75         for (i = 0; i < len; i++) {
76                 if( !(SOMESTUFF) ||
77                     !(SOMESTUFF))
78                      break;
79                  szBin[i] = ((c1-letters)<<4) + (c2-letters);

...change that to:

73         int i,j;
74
75         for (i = 0, j = 0; i < len; i++) {
76                 if( !(SOMESTUFF) ||
77                     !(SOMESTUFF))
78                      continue;
79                  szBin[j++] = ((c1-letters)<<4) + (c2-letters);

As always, no warranty it might eat your cat etc.


to this ldap database in another way?  I thought I had read of a way to bind
to the ldap server as the user we are trying to authenticate, but I can not

find any good info on this.  



You can do that, but since an ldap simple bind requires the plaintext 
password it only works with PAP requests, not MS-CHAP.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to