On 31 May 2016, at 18:02, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Hi,
Have done a bit of work on rlm_pap and added the ability to pass the username/password through to AD via winbind, complementing the code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
This should mostly help people permitting EAP-TTLS/PAP as one of their available methods, as another call out to ntlm_auth can be avoided, and it's convenient to use the same setup as rlm_mschap rather than e.g. having to configure ldap as well.
rlm_mschap isn't the best place for this, and it doesn't seem entirely fitting with rlm_pap either, so if anyone's got suggestions for a better place for it then shout...
Nice! I'd say rlm_wbclient PAP is more for password comparisons. With this you're sending the credentials off to a remote system. rlm_wbclient could include the MSCHAPv2 code too, and password change, and group retrieval. libwbclient can do a lot more than we're currently using it for. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2