samba - Oct 2004 - Authenticating PPTP users against Samba/LDAP

Hi,

I have a few remote user who use a PPTP based VPN. The server is running
PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC
for (some) added security. Currently, users authentication information
is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to
put users into LDAP, and have ppp authenticate either directly against
LDAP, or against Samba (with an LDAP backend). Any ideas on how I might
go about this? Most of the docs I've seen suggest that you can't use PAM
for authentication with CHAP, so it seems not to be as simple as I might
have hoped.

Disclaimer - I haven't actually tried any of this yet, I'm just trying
to get it clear in my head before I start...

Mike.

Maybe you should try with a radius server, connected to your ldap server. 
But even with Radius, no chap against encrypted samba passwords in the ldap 
backend .. i've spent a few weeks trying to get it work for 
wifi/802.1x/TTLS. Only found way was to have passwords stored as cleartext 
in the ldap, which i didn't want. Maybe there was another solution, i just 
couldn't spend so much time on it. 

BTW i'm very interested if you can have any solution to work, even if
it's
VPN related, cause i'll also have to do it in the few months =) 

Arnauld 

Mike Brodbelt writes: 
> Hi, 
> 
> I have a few remote user who use a PPTP based VPN. The server is running
> PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC
> for (some) added security. Currently, users authentication information
> is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to
> put users into LDAP, and have ppp authenticate either directly against
> LDAP, or against Samba (with an LDAP backend). Any ideas on how I might
> go about this? Most of the docs I've seen suggest that you can't
use PAM
> for authentication with CHAP, so it seems not to be as simple as I might
> have hoped. 
> 
> Disclaimer - I haven't actually tried any of this yet, I'm just
trying
> to get it clear in my head before I start... 
> 
> Mike.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

On Wed, 2004-10-20 at 00:44, Mike Brodbelt wrote:
> Hi,
> 
> I have a few remote user who use a PPTP based VPN. The server is running
> PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC
> for (some) added security. Currently, users authentication information
> is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to
> put users into LDAP, and have ppp authenticate either directly against
> LDAP, or against Samba (with an LDAP backend). Any ideas on how I might
> go about this? Most of the docs I've seen suggest that you can't
use PAM
> for authentication with CHAP, so it seems not to be as simple as I might
> have hoped.
> 
> Disclaimer - I haven't actually tried any of this yet, I'm just
trying
> to get it clear in my head before I start...
The pppd patch (one for 2.4.2, one for current CVS) is here:
http://download.samba.org/ftp/unpacked/lorikeet/trunk/pppd

The documentation is:
http://hawkerc.net/staff/abartlet/comp3700/final-report.pdf

Note that the patch changed a little since the report was written, use
the instructions in the README for configuration.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20041020/620d1965/attachment.bin

I'm already running such configuration:

freeradius + mpd (vpn server on FreeBSD) + samba

the keyword here is RADIUS server.
freeradius is a good one.

if You are running FreeBSD, I can help You with mpd configuration.

Cheers,
Ilia Chipitsine
> Hi,
>
> I have a few remote user who use a PPTP based VPN. The server is running
> PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC
> for (some) added security. Currently, users authentication information
> is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to
> put users into LDAP, and have ppp authenticate either directly against
> LDAP, or against Samba (with an LDAP backend). Any ideas on how I might
> go about this? Most of the docs I've seen suggest that you can't
use PAM
> for authentication with CHAP, so it seems not to be as simple as I might
> have hoped.
>
> Disclaimer - I haven't actually tried any of this yet, I'm just
trying
> to get it clear in my head before I start...
>
> Mike.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

Mike Brodbelt schrieb:
> Hi,
> 
> I have a few remote user who use a PPTP based VPN. The server is running
> PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC
> for (some) added security. Currently, users authentication information
> is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to
> put users into LDAP, and have ppp authenticate either directly against
> LDAP, or against Samba (with an LDAP backend). Any ideas on how I might
> go about this? Most of the docs I've seen suggest that you can't
use PAM
> for authentication with CHAP, so it seems not to be as simple as I might
> have hoped.
> 
> Disclaimer - I haven't actually tried any of this yet, I'm just
trying
> to get it clear in my head before I start...
> 
> Mike.
Hi Mike,
there is  a ldap patch for poptop ( try google )as well as a patch for 
windbind

http://download.samba.org/ftp/unpacked/lorikeet/trunk/pppd/

i didnt try it but it should work with ldap
Regards