Re: Unable to authenticate to 10.5.4 open directory

Sat, 30 Aug 2008 02:23:19 -0700 


Am 30.08.2008 um 09:13 schrieb Thomas von Eyben:


On Fri, Aug 29, 2008 at 11:57 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote:

modcall: entering group MS-CHAP for request 6
rlm_mschap: No User-Password configured. Cannot create LM- Password. rlm_mschap: No User-Password configured. Cannot create NT- Password. rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT- Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication. 

What is the password entry for this user in ldap? Is it encrypted?

Ivan Kalik
Kalik Informatika ISP
The password are stored in the "default OS X Server way" for a shared domain. 
This is in what Apple calls Open Directory: meaning that the LDAP
stores a pointer (aka a password slot) which references the actual
password which is stored in a database seperate from the LDAP.

Details can be found on page 41 in this document:
http://images.apple.com/server/macosx/docs/ Open_Directory_Admin_v10.5.pdf 

This mechanism is what is working "out of the box".
Earlier on I made a test environment where this worked - the
difference being the test environment was a server and an access point
communicating directly. Now - the real scenario - the server is
working in what I think is called proxy mode, the authentication
requests does not originate directly from the access point, but is
"relayed" (my best description) via the Eduroam DK top level servers.

NB.: I suspect that the LDAP is not even queried, I am not yet able to
find any clues in the logfiles indicating anything else :(
All this does not seem to indicate that neither a NT password (a MD4 hash of the UTF-16LE encoding of the password) nor a cleartext version of the password (so that the NT password can be calculated) is available for processing MSCHAP.
Page 41 would imply (at least for me) that MD5 hashes are available, which cannot be used for MSCHAP, as a hash cannot be "un-encrypted". 



- TvE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html 


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to