at the risk of falling in a known trap.
I've read enough statements that one can't do mschapv2 with openldap, unless you store the passwords in clear-text. I know that
But those same sources also state that this isn't true when you have a (MS) hash available for those users, like NT-/LM-PASSWORD, which I have.
Yet my configuration still seems to expect clear-text passwords.
[ldap] looking for check items in directory...
[ldap] userPassword -> User-Password == "{crypt}<cryptpasswd>"
[ldap] userPassword -> Password-With-Header == "{crypt}<cryptpasswd>"
[ldap] sambaNTPassword -> NT-Password == 0x<hash>
[ldap] sambaLMPassword -> LM-Password == 0x<hash>
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: <userid>
[mschap] Told to do MS-CHAPv2 for <userid> with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
What am I missing in the configuration? It has the hashed passwords, seamingly mapped to the correct attributes, yet it still says it doesn't have them.