I'm a little confused by how rlm_ldap is handing passwords. First let me state what I believe to be true, if I'm wrong on any of these assumptions please correct me.
They are, sort of, correct.
Or am I just missing something?
You are looking at rlm_ldap in isolation. rlm_pap will "handle" these "bugs".
It seems to be there are three bugs:
1) inserting PW_USER_PASSWORD into config instead of PW_CLEARTEXT_PASSWORD
That will happen in rlm_pap (which should always be listed in authorize).
2) not documenting auto_header
It's documented in rlm_pap. You are supposed to use that setting, not the one in rlm_ldap (I think that one is there for historical reasons).
3) if auto_header is enabled not defaulting to clear text if no prefix is supplied.
Again, that will happen in rlm_pap. I believe that things are done this way in rlm_ldap because that code is from the time when User-Password was used as password configuration attribute. I am sure Alan will have a good explanation why is rlm_ldap left creating the User-Password attribute on the control list which then rlm_pap converts into appropriate password attribute. My guess is to avoid code duplication. Ivan Kalik Kalik Informatika ISP