Maurizio Cimaschi wrote: > Ivan Kalik wrote: >> You can't get cleartext password from AD, but you can extract encrypted >> (nt hashed) password as NT-Password with ldap. You will be able to >> authenticate pap and mschap requests with that. > > I was lurking in the attribute list of the AD: > http://msdn.microsoft.com/en-us/library/ms675480(VS.85).aspx > > There's a particoular attribute that may do the trick: "DBCS-Pwd > Attribute". It is said to be the account's LAN manager password.
Cute... but not good enough for doing MS-CHAP. MS-CHAP has fields for LAN manager passwords... which are usually blank. The passwords are pretty much always NT-hashed passwords. > Since rlm_mschap should be able to authenticate using one of clear-text > pwd, LAN mgr pwd and NT pwd this should be enought. The *client* has to supply the MS-CHAP magic using the LAN-manager password. Since the client always chooses NT-hashed passwords... using LAN manager passwords is not possible. > Via ldap.attrmap should be possible to map that attribute to the radius > attribute LM-Password. Yup. > What do you think ? Nice, if the clients did LM passwords. Which they don't, unfortunately. Still, it's worth adding to the default ldap.attrmap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
