21 Sep
2017
21 Sep
'17
4:47 a.m.
rlm_ldap no longer strips off password headers (as it did in v2). {ntlm} is not a supported header. It doesn't to any kind of hashing scheme, you need to use nt or nthash. You can use rlm_pap to do password normification only, by listing it after ldap, but before mschap/eap in the authorize section of the inner tunnel server, then removing any references to the pap module in the authenticate section of the inner tunnel server. rlm_pap will process any Password-With-Header attributes, converting them into the correct attribute and adding them to the control list. We should probably move this out into a separate module in v4, but that's the way it's done for v3. -Arran