Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
* the inner PAP authentication is "processed" by the ldap module in which I don't need to define which password hashing method is used (I use at least CRYPT _and_ MD5 in the same directory for historical reasons)
Version 2.0 has fixes that make it much easier to handle multiple hashing types in the same LDAP database.
* I don't need to have freeradius _read_ the passwords from the directory: the DN identity defined in the ldap module can only have auth and read access to radius entries but not to the passwords (which in my point of view is more secure)
If all you're doing is PAP, sure. Most wireless deployments use PEAP, and then people wonder why "bind as user" doesn't work. It's frustrating.
Again, I might not have caught your meaning: Are you saying that in the future the standards ldap module will be only an authorization module, and that a new ldap_bind module could be used in the authenticate section ?
I think it's a good idea. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog