auth to LDAP via two mechanisms

Rob Shepherd rob at
Mon Aug 21 11:06:52 CEST 2006

Alan DeKok wrote:
> Rob Shepherd <rob at> wrote:
>> I'll use PAP (ldap auth)
>   Please don't.  It makes everything harder.


>   LDAP is a database, not an authentication server.  Have the server
> read the clear-text password from LDAP, and the server will figure out
> how to authenticate the user.  Remove "ldap" from the "authenticate"
> section.  It's just not necessary.

No clear-text is stored in LDAP. I have MD5 in userPassword and the two 
samba hashes.
The cisco kit, VPN concentrator and switches etc, supply a clear text 
password at radius. I figured my only option was to PAP-to-LDAP.

Is there an alternative for this situation?

>>  from the VPN concentrator but mschapv2 from the 
>> wireless, as it'll go through a peap or eap-tls tunnel. I have NT and LM 
>> hashes already in the LDAP, I just need to extract them...
>   And how I get the nt/lm hashes from ldap and do mschapv2..
>   ldap.attrmap, and the server will figure out what to do.


Rob Shepherd | Computer and Network Engineer | Technium CAST | LL57 4HJ
rob at | 01248 675024 | 07776 210516

More information about the Freeradius-Users mailing list