Edvin Seferovic wrote:
before somebody yells "not again" - I just wish to ask if it is possible to use MS-CHAP and CHAP authentication with a LDAP backend which contains clear-text passwords as well as NT-Password ( used for MS-CHAP ) ??? Alan - yes/no answer please :)
Read the web page: http://deployingradius.com/documents/protocols/compatibility.html If you're doing "bind as user" in LDAP, read this: http://deployingradius.com/documents/protocols/oracles.html
If positive - can somebody give me an example of attribute mapping to ldap for both ( MS-CHAP and CHAP ) to work ?
You don't do attribute mappings. See the "ldap" section in radiusd.conf, and look for "password_attribute".
My setup with LDAP as backend is working with a mapping of NT-Password to sambaNTPassword like this :
checkItem NT-Password sambaNTPassword
MS-CHAP works just fine !
For CHAP I added
password_header = "{clear}" password_attribute = "userPassword" password_radius_attribute = "User-Password"
Where did that last line come from?
to the LDAP module configuration. But unfortunately chap module doesn't like my clear-text password ( stored in userPassword ) for authentication :( How else can I say CHAP where to look for the clear-text password.
See the FAQ for "it doesn't work". Alan DeKok.