CHAP and Windows 2003 AD LDAP

Phil Mayers p.mayers at
Wed Jul 5 18:43:20 CEST 2006

Stefan Winter wrote:
> Hi,
>> I'm trying to get a freeradius server (v1.0.1) to work with CHAP and
> How about 1.1.2? Upgrading is easy, and it fixes at least one security bug.
>> querying a Windows 2003 Active Directory server using LDAP.
>> I've got LDAP working for PAP queries, but CHAP comes back with the
>> "rlm_chap: Could not find clear text password".
> AD and LDAP-mode don't work together. The AD server will not give away the 
> user's attribute. If you want CHAP to work, you will need to use ntlm_auth. 

That is not correct. If you want to use *MS-CHAP* you must use ntlm_auth 
(or extract the NT hash another way).

If you want to use CHAP i.e. plain-old chap as implemented by the 
rlm_chap module listed above, you MUST have the users plaintext password 
which AD does not maintain by default and even if it is told to, cannot 
be persuaded to give up.

More information about the Freeradius-Users mailing list