<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18975"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Thanks for everyone's help on this. We got it to work, now using eap-peap. We truly believe it was using mschapv2 before, but cannot prove that to ourselves. Everytime something changes we learn much more than we knew before, so I guess that's a good thing.</DIV>
<DIV> </DIV>
<DIV>thanks again.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>robert</DIV>
<DIV> </DIV>
<DIV>
<DIV>Robert Koskey,</DIV>
<DIV>Systems and Network Manager</DIV>
<DIV> </DIV>
<DIV>Rocky View Schools</DIV>
<DIV>Telephone: 403-945-4080<BR>Cell: 403-988-4640</DIV><BR><BR>>>> Alexander Clouter <alex@digriz.org.uk> 12/11/2010 4:35 AM >>><BR>Peter Lambrechtsen <plambrechtsen@gmail.com> wrote:<BR>> <BR>> On Sat, Dec 11, 2010 at 3:59 AM, Gary Gatten <Ggatten@waddell.com> wrote:<BR>> <BR>>> Look in the configure script, or maybe try ./configure --help. Else the<BR>>> config options are probably listed in one of the readme's.<BR>> <BR>> Yes it's a configure switch when you compile FR.<BR>> <BR>> I would assume that since it's a version distributed with SLES (I would<BR>> assume OpenSUSE would be the same), but can check in the srpm to make sure<BR>> it's in there. But I would be surprised if it wasn't.<BR>> <BR>> The main things to be sure is your Universal Password policy assigned to<BR>> your users allows Admin's (or a specific user) to retreieve the User's<BR>> password, and that the service account you use to bind to eDirectory in FR<BR>> is one of those accounts. And that you are binding over LDAPS (SSL) on port<BR>> 636 typlically. Which may require you to import in the LDAP Server's CA<BR>> Cert into the certificate keystore in the LDAP SSL Config.<BR>> <BR>Am I missing something obvious but in the original post was:<BR>----<BR>rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password<BR>----<BR><BR>We are ourselves condemned to hell to and are forced to use Novell <BR>but all this UP malarkey works for us just fine.<BR><BR>The OP obviously has already enabled universal password according to the <BR>debugging message, a five second look at the source code also confirms <BR>this:<BR><BR><A href="https://github.com/alandekok/freeradius">https://github.com/alandekok/freeradius</A>-server/blob/v2.1.x/src/modules/rlm_ldap/rlm_ldap.c#L1592<BR><BR>Of course I have no idea why the Cleartext-Password attribute is <BR>disappearing after passing through authorize/ldap before it gets to <BR>pap/chap/mschap but I cannot see the OP's config. The problem seems not <BR>not to be a flag at compile time, it's a configuration problem.<BR><BR>Cheers<BR><BR>-- <BR>Alexander Clouter<BR>.sigmonster says: No purchase necessary.<BR><BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR></DIV><BR>
<p>
_____________________________________________________________________________________
</p>
<p>
This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communication received in error, or subsequent
reply, should be deleted or destroyed.
</p>
</BODY></HTML>