LDAP Authentication via M$-CHAPv2 from PPPD

This page covers and old hack used to authenticate users via M$-CHAPv2 from PPPD (the Point to Point tunnelling Protocol Deamon). I no longer develope or support this project, so do not e-mail concerning the fact that it does not work.

This version of pppd was meant to be used with the PoPToP PPTP VPN server. This version of pppd 2.4.1 includes the MPPE and "Strip M$ Domain" patches. Simply install and create a chap-secrets line like:

* * &uid?(morrisonvpnaccess=Y)(objectclass=posixAccount)?ou=People,o=Morrison\ Industries,c=US *

This uses the first "?" delimited value as the key to lookup the user's object. The second parameter is any additional filters you wish to apply. The third parameter is the search base. So if "fred" attempts to establish a VPN connection PPPD will attempt to get the "ntpassword" attribute from the first object matching "(&(uid=fred)(morrisonvpnaccess=Y)(objectclass=posixAccount))" beneath "ou=People,o=Morrison\ Industries,c=US". The only hardcoded value is the name of the ldap server, which is hardcoded to "ldap".

I've gotten several e-mails about this one, as it seems to have resulted in some confusion. I am NOT running the LDAP server on NT, it is OpenLDAP on an RH box that is also a Samba PDC. The NT-Hashes of the password, as they are stored in /usr/local/samba/private/smbpasswd are loaded into each user's LDAP object in the "ntpassword" attribute. I assume you can get the NT-Hashes from an NT PDC's SAM database as well, but I don't know how. The Samba Web Site has some perl scripts that seem to claim to do this exact thing (pulling NT-Hashes from the SAM), but I have not used them as I don't have an NT PDC. Feel free to e-mail me with questions, just not about integration with a "real" NT domain, as I won't be able to help you.

NOTE: THIS DOES NOT WORK FOR RECENT VERSION OF PPPD OR ON RECENT DISTRIBUTIONS, IT JUST CAUSES A SIG 11 AND PPPD DIES! I DON'T KNOW WHY AND DON'T HAVE TIME TO LOOK INTO IT; BUT THE PRINCIPLE IS SOUND SO ****YOU**** ARE FREE TO FIX IT OR REWRITE IT. PLEASE E-MAIL ME IF YOU DO GET SOMETHING WORKING. DO NOT NOT NOT E-MAIL ME ABOUT HOW TO MAKE IT WORK.