PAP against winbind
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Jun 1 01:25:25 CEST 2016
> On 31 May 2016, at 18:02, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
>
> Hi,
>
> Have done a bit of work on rlm_pap and added the ability to pass
> the username/password through to AD via winbind, complementing the
> code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
>
> This should mostly help people permitting EAP-TTLS/PAP as one of
> their available methods, as another call out to ntlm_auth can be
> avoided, and it's convenient to use the same setup as rlm_mschap
> rather than e.g. having to configure ldap as well.
>
> rlm_mschap isn't the best place for this, and it doesn't seem
> entirely fitting with rlm_pap either, so if anyone's got
> suggestions for a better place for it then shout...
Nice!
I'd say rlm_wbclient
PAP is more for password comparisons. With this you're sending the credentials off to a remote system.
rlm_wbclient could include the MSCHAPv2 code too, and password change, and group retrieval. libwbclient can do a lot more than we're currently using it for.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20160531/4a62d485/attachment.sig>
More information about the Freeradius-Devel
mailing list