Normal Ldap Authentication - D-Link NetDefendOS User Manual

The processing is different if a group membership is being retrieved since a request is sent to the
LDAP server to search for memberships and any group memberships are then sent back in the
response.
B. PPP Authentication with CHAP, MS-CHAPv1 or MS-CHAPv2 Encryption
If PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is used for authentication, a digest of the user's
password will be sent to NetDefendOS by the client. NetDefendOS cannot just forward this
digest to the LDAP server since this will not be understood. The solution is for NetDefendOS to
obtain the password in plain-text from the LDAP server, create a digest itself, and then compare
the created digest with the digest from the client. If the two are the same, authentication is
successful but it is NetDefendOS that makes the authentication decision and not the LDAP
server.
To retrieve the password from the LDAP server, two things are needed:
• The Password Attribute parameter needs to be specified when defining the server to
NetDefendOS. This will be the ID of the field on the LDAP server that will contain the
password when it is sent back.
This ID must be different from the default password attribute (which is usually userPassword
for most LDAP servers). A suggestion is to use the description field in the LDAP database.
• In order for the server to return the password in the database field with the ID specified, the
LDAP administrator must make sure that the plain text password is found there. LDAP servers
store passwords in encrypted digest form and do not provide automatic mechanisms for
doing this. It must therefore be done manually by the administrator as they add new users
and change existing users passwords.
This clearly involves some effort from the administrator, as well as leaving passwords
dangerously exposed in plain text form on the LDAP server. These are some of the reasons
why LDAP may not be viewed as a viable authentication solution for CHAP, MS-CHAPv1 or
MS-CHAPv2 encrypted PPP.
When NetDefendOS receives the password digest from the client, it initiates a Search Request to
the LDAP server. The server replies with a Search Response which will contains the user's
password and any group memberships. NetDefendOS is then able to compare digests. The
diagram below illustrates this process.
Figure 8.1. Normal LDAP Authentication
623
Chapter 8: User Authentication