Hi Alan,
ldap] looking for check items in directory... [ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W ]" [ldap] userPassword -> Password-With-Header == "..." [ldap] ntPassword -> NT-Password == 0x34343446...242
Hmm... that looks a lot like it's ASCII. i.e. "444..." Maybe that's the problem? You have an ASCII string that's being interpreted as the NT password. Instead, it needs to be interpreted as the *printed* form of the password. I had a look in the LDAP, and the ntPassword is having the correct lenght : ntPassword: 44AFA3XXXXXXXXXXXXXXXXXXXXXXX856
One way to do this is to list "pap" last in the authorize section. It goes through the various password attributes, and fixes them to be correct.
I did enable pap, but without success. [ldap] looking for check items in directory... [ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W ]" [ldap] userPassword -> Password-With-Header == "JDEkMWs..." [ldap] ntPassword -> NT-Password == 0x34343446... [ldap] looking for reply items in directory... [ldap] user host/dti-dahport authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] Failed to decode Password-With-Header = "JDEkMWs..." [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ... [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: host/dti-dahport [mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect Is it possible that the issue is somewhere else? The nt/lmPassword are properly handled when we do user auth, and the printout in debug is also in a 0xsomething format. -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)