auth to LDAP via two mechanisms

Alan DeKok aland at
Fri Aug 18 18:33:01 CEST 2006

Rob Shepherd <rob at> wrote:
> I'll use PAP (ldap auth)

  Please don't.  It makes everything harder.

  LDAP is a database, not an authentication server.  Have the server
read the clear-text password from LDAP, and the server will figure out
how to authenticate the user.  Remove "ldap" from the "authenticate"
section.  It's just not necessary.

>  from the VPN concentrator but mschapv2 from the 
> wireless, as it'll go through a peap or eap-tls tunnel. I have NT and LM 
> hashes already in the LDAP, I just need to extract them...

  See ldap.attrmap.

> Could I get a pointers on how I command the right auth type for the 
> right device.

  You don't.  You supply the server with passwords, and it figure out
what to do.

> And how I get the nt/lm hashes from ldap and do mschapv2..

  ldap.attrmap, and the server will figure out what to do.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list