Freeradius with LDAP backend for pptpd (via MS-CHAP)

Alan DeKok aland at
Fri Jul 9 14:59:37 CEST 2010

Daniel Gomes wrote:
> Well, as I mentioned (a couple of times now), the LDAP server was indeed
> returning a password to FreeRADIUS, since radtest was always working
> fine.

  No, it wasn't returning a password to FreeRADIUS.  Go *read* the debug
output.  It will prove this.

  When using PAP, the LDAP module looks for a password.  If it doesn't
get one, it then tries to do "bind as user".  That is, it hands the
username && password to the LDAP server, and asks "are these OK"?

  When this happens, you're making your LDAP server do user
authentication.  This is wrong.  LDAP is a database.  RADIUS is an
authentication server.

> So the problem wasn't in the LDAP server itself, because it does
> "return a password when an LDAP client queries it for a password" (as I
> also mentioned it, we are currently and successfully using it to
> authenticate other services).\

  Using PAP passwords.

> The problem was really related to MS-CHAP,
> and now that I changed to PAP, it all seems to be working fine...

  Yes.  For the reasons outlined above.

  Your situation *isn't* the first time someone has had this issue.
We're familiar with the problem && solution, where you are clearly not.

  Alan DeKok.

More information about the Freeradius-Users mailing list