Fwd: LDAP + CHAP

Alan DeKok aland at deployingradius.com
Mon Mar 3 14:36:15 CET 2014


Adam Seed wrote:
> Hi Alan,
> 
> That same wiki says 'The ldap module can only work with PAP passwords
> since it needs to send the clear text user password to the LDAP server
> to authenticate the user.'

  Where?

> I might be mis-understanding as im new to
> Radius, but that doesnt sound to positive. Anyway... I'm hoping to find
> a workaround

  That text (whatever it is) means that you can only do "bind as user"
when the Access-Request contains User-Password (i.e. PAP).


> So I checked my sites-enabled/default and it does have the LDAP module
> listed:

  OK...

> (I striped out the comments and highlighted the bits I changed)


  Please don't post it here.  It doesn't help.

> In addition here is the output of my debug:

  That's what we need.
>   [ldap] userPassword -> Password-With-Header ==
> "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="

  You're storing passwords in MD5 hashed format.  This is incompatible
with CHAP.

http://deployingradius.com/documents/protocols/compatibility.html

> [chap] Cleartext-Password is required for authentication

  See?  I suggest believing that message.  It'd true.

> Any assistant is greatly welcomed.

  (a) store clear-text passwords in LDAP

  (b) don't use CHAP.

  Pick one.

  Alan DeKok.


More information about the Freeradius-Users mailing list