Help with Chap and ldap

Alan DeKok aland at
Fri Dec 6 15:53:59 CET 2013

P K wrote:
> I'm using openldap and phpldapadmin to create account. The interface
> allows me to store "clear" password. When I do an ldapsearch
> commandline, I get base64 password. I don't see an option in
> phpldapadmin to store "clear-text" type.
> I've configured freeradius to use ldap and I'm using radtest to test
> but chap always fails. Is it failing because of base64? It seems to
> have decoded fine looking at the logs. Why is CHAP failing? Please
> help.

  The debug log shows why it's failing:

> [pap] Failed to decode Password-With-Header = "password01"

  The password is stored in LDAP without any prefix such as "{clear}".
It should either have that header, or, you should change raddb/ldap.attrmap:

checkitem	Password-With-Header		userPassword


checkitem	Cleartext-Password		userPassword

  Alan DeKok.

More information about the Freeradius-Users mailing list