Fwd: LDAP + CHAP
Alan DeKok
aland at deployingradius.com
Mon Mar 3 14:36:15 CET 2014
Adam Seed wrote:
> Hi Alan,
>
> That same wiki says 'The ldap module can only work with PAP passwords
> since it needs to send the clear text user password to the LDAP server
> to authenticate the user.'
Where?
> I might be mis-understanding as im new to
> Radius, but that doesnt sound to positive. Anyway... I'm hoping to find
> a workaround
That text (whatever it is) means that you can only do "bind as user"
when the Access-Request contains User-Password (i.e. PAP).
> So I checked my sites-enabled/default and it does have the LDAP module
> listed:
OK...
> (I striped out the comments and highlighted the bits I changed)
Please don't post it here. It doesn't help.
> In addition here is the output of my debug:
That's what we need.
> [ldap] userPassword -> Password-With-Header ==
> "{MD5}1hkMdaNUxxbUu/hufTrjtQ=="
You're storing passwords in MD5 hashed format. This is incompatible
with CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
> [chap] Cleartext-Password is required for authentication
See? I suggest believing that message. It'd true.
> Any assistant is greatly welcomed.
(a) store clear-text passwords in LDAP
(b) don't use CHAP.
Pick one.
Alan DeKok.
More information about the Freeradius-Users
mailing list