PAP against winbind

Matthew Newton mcn4 at
Wed Jun 1 01:41:57 CEST 2016

On Tue, May 31, 2016 at 07:33:22PM -0400, Alan DeKok wrote:
> On May 31, 2016, at 7:25 PM, Arran Cudbard-Bell <a.cudbardb at> wrote:
> > I'd say rlm_wbclient
>   I agree,  It's different enough from rlm_pap that it deserves a different module.

OK, I'll separate it out. I wondered about a different module, but
it's so small that a separate module didn't quite seem worth it.
But I agree that is probably cleaner.

> > PAP is more for password comparisons.  With this you're
> > sending the credentials off to a remote system.
> > 
> > rlm_wbclient could include the MSCHAPv2 code too, and password
> > change, and group retrieval. libwbclient can do a lot more
> > than we're currently using it for.
>   Hmm. that way lies madness.  But yes, it's not *completely* out of the question.

Yeah. That was the other thought. But there's so much with the
mschap stuff tied in with that module (calculating the
challenge/responses) that it didn't seem like the two could easily
be pulled out into another module. And password changes again are
tied in with mschap.

On the other hand, PEAP etc directly call mschap for EAP-MSCHAPv2,
so maybe another hack like that :)

Group retrieval is definitely another possibilty though.

Hmm - maybe mschap should itself call across to rlm_wbclient. OK,
madness... would only be one connection pool then, though.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Devel mailing list