CHAP and Windows 2003 AD LDAP

Luke freeradius at luke.bpa.nu
Thu Jul 6 00:00:25 CEST 2006


Stefan Winter wrote:

>>I've got LDAP working for PAP queries, but CHAP comes back with the
>>"rlm_chap: Could not find clear text password".
>>    
>>
>
>AD and LDAP-mode don't work together. The AD server will not give away the 
>user's attribute. If you want CHAP to work, you will need to use ntlm_auth. 
>  
>
Thanks for the responses guys.

Unfortunately I need to support CHAP because it is used by an external
global Dial-Up provider which the freeradius machine is authenticating for.

The whole idea of using LDAP was because the machine was in the DMZ, and
LDAP would allow us to lock it down more by only allowing the bind user
access to certain parts of the AD tree. If I use ntlm_auth, the box will
have to be joined to the domain (from my understanding) - wouldn't this
represent quite a big security risk? Will ntlm_auth also do PAP (used by
another provider authenticating against the server) where the password
is in clear-text?

> There's also a great tutorial on the topic, which is 
>referenced here quite often by Charles Schwartz, see the archives for that 
>one as well.
>  
>
It's at
http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf I
believe (for anyone else which wants to have a look).

Thanks,

Luke



More information about the Freeradius-Users mailing list