PAP against winbind

Arran Cudbard-Bell a.cudbardb at
Wed Jun 1 01:25:25 CEST 2016

> On 31 May 2016, at 18:02, Matthew Newton <mcn4 at> wrote:
> Hi,
> Have done a bit of work on rlm_pap and added the ability to pass
> the username/password through to AD via winbind, complementing the
> code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
> This should mostly help people permitting EAP-TTLS/PAP as one of
> their available methods, as another call out to ntlm_auth can be
> avoided, and it's convenient to use the same setup as rlm_mschap
> rather than e.g. having to configure ldap as well.
> rlm_mschap isn't the best place for this, and it doesn't seem
> entirely fitting with rlm_pap either, so if anyone's got
> suggestions for a better place for it then shout...


I'd say rlm_wbclient

PAP is more for password comparisons.  With this you're sending the credentials off to a remote system.

rlm_wbclient could include the MSCHAPv2 code too, and password change, and group retrieval. libwbclient can do a lot more than we're currently using it for.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Devel mailing list