How to use different ldap-modules?

Alan DeKok aland at ox.org
Wed Jun 22 18:59:17 CEST 2005


Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
> 1.) PAP is just the clear-text password???

  Yes.

> -> I thought pap is hashing the password with a challenge (MD-5). 

  Stop worrying about it.  PAP is the clear-text password.

> So I want to the server to hold a crypted Password (MD-5) for PAP, but 
> retrieving that from the ldap server.

  If the LDAP server has a clear-text password for MS-CHAP, you might
as well use it for PAP.  Trying to make PAP use a crypt'd password is
a waste of time, and doesn't gain anything.

> 2.) I do not want to do any binding to the ldap for authentication!

  So... don't list "ldap" in the "authenticate" section.

> 3.) For authentication I want to provide PAP, CHAP, and PEAP+TLS using 
> MsCHAPv2.
>      
>     How can I do that? If use the radiusd.conf as it comes the radius 
> wants to use ldap for authentication.

  No, it doesn't.  The default radiusd.conf doesn't use ldap at *all*.

>     authenticate {
> ...
>           ldap {
>              pap
>           }

  WTF?  Don't do that!

  Alan DeKok.




More information about the Freeradius-Users mailing list