Hi, I've been working this morning in bringing back the eDirectory Universal Password feature into the new rlm_ldap module. I'm only talking about Universal Password, not the NMAS two-factor auth, as this is something we don't have here so there's no way for me to test. What have been done and is working : - reformatting edir_ldapext.c for the universal password code into a new file, some code cleanup - implementing the "edir=yes/no" options for rlm_ldap - retrieve the password in ldap_authorize and add the corresponding Cleartext-Password attribute Actually I can successfully connect using an eDir account with pap/. What has to be done, and where I need some hints : - Now that we have the cleartext-password, we're not going in the ldap_authenticate anymore. In the past with Auth-Type=LDAP it was possible, but setting Auth-Type=LDAP triggers a module_fail after the rewrite. In order to enforce eDir account policy, we have to bind to the LDAP server. how would you recommend me to implement it ? - add the IFDEF NOVELL around the added code (i can do it that's ok) - adapt the Makefile in order to compile edir_upwd.c only if configure has --with-edir (need help on that point) - return an error in the debug if universal password is not found, but do not fail the module (or should I ?) Initial commit in my fork is visible here : https://github.com/olivierbeytrison/freeradius-server/commits/rlm_ldap_add_e... Btw, it has been some years since the last time I wrote C. Be gentle and advise, I'll try to make it as clean as possible. Any advice are welcome ! Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org