Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
* the inner PAP authentication is "processed" by the ldap module in which I don't need to define which password hashing method is used (I use at least CRYPT _and_ MD5 in the same directory for historical reasons)
Version 2.0 has fixes that make it much easier to handle multiple hashing types in the same LDAP database.
Yes, I remember having read something about this in the list... I'm longing to test this release ;-)
* I don't need to have freeradius _read_ the passwords from the directory: the DN identity defined in the ldap module can only have auth and read access to radius entries but not to the passwords (which in my point of view is more secure)
If all you're doing is PAP, sure. Most wireless deployments use PEAP, and then people wonder why "bind as user" doesn't work. It's frustrating.
I understand (It's true that this list is nearly 30% about this kind of issue despite the faqs on this) :-(
Again, I might not have caught your meaning: Are you saying that in the future the standards ldap module will be only an authorization module, and that a new ldap_bind module could be used in the authenticate section ?
I think it's a good idea.
Why not indeed ... (as long as there's a new ldap_bind module to replace the ldap 'authentication' part ;-) ). Thanks for this reply and for this great opensource project. Regards, Thibault