Ivan Kalik wrote:
You can't get cleartext password from AD, but you can extract encrypted (nt hashed) password as NT-Password with ldap. You will be able to authenticate pap and mschap requests with that.
I was lurking in the attribute list of the AD: http://msdn.microsoft.com/en-us/library/ms675480(VS.85).aspx
There's a particoular attribute that may do the trick: "DBCS-Pwd Attribute". It is said to be the account's LAN manager password.
Since rlm_mschap should be able to authenticate using one of clear-text pwd, LAN mgr pwd and NT pwd this should be enought.
Via ldap.attrmap should be possible to map that attribute to the radius attribute LM-Password.
What do you think ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
