FW: MS-CHAP-v2 and CHAP with different passwords in LDAP

Alan DeKok aland at deployingradius.com
Sat Dec 8 23:40:24 CET 2007

Edvin Seferovic wrote:
> before somebody yells "not again" - I just wish to ask if it is possible to
> use MS-CHAP and CHAP authentication with a LDAP backend which contains
> clear-text passwords as well as NT-Password ( used for MS-CHAP ) ??? Alan -
> yes/no answer please :)

  Read the web page:


  If you're doing "bind as user" in LDAP, read this:


> If positive - can somebody give me an example of attribute mapping to ldap
> for both ( MS-CHAP and CHAP ) to work ?

  You don't do attribute mappings.  See the "ldap" section in
radiusd.conf, and look for "password_attribute".

> My setup with LDAP as backend is working with a mapping of NT-Password to
> sambaNTPassword like this :
> checkItem       NT-Password                     sambaNTPassword
> MS-CHAP works just fine !
> For CHAP I added 
> password_header = "{clear}"
> password_attribute = "userPassword"
> password_radius_attribute = "User-Password"

  Where did that last line come from?

> to the LDAP module configuration. But unfortunately chap module doesn't like
> my clear-text password ( stored in userPassword ) for authentication :( How
> else can I say CHAP where to look for the clear-text password.

  See the FAQ for "it doesn't work".

  Alan DeKok.

More information about the Freeradius-Users mailing list