Validating plaintext passwords against Samba 4

[Brian Candler]

Hi,

There are several documents about how to authenticate MSCHAP requests 
against Samba 4 / AD.

My question is, what's the preferred way to authenticate requests which 
contain plaintext passwords, i.e. PAP, against S4/AD? rlm_mschap has 
hooks to talk to ntlm_auth or winbind, but rlm_pap doesn't.

It seems to me I could:

* use rlm_ldap, and do a bind using the user supplied password

* use rlm_krb5 (i.e. kerberos as a password oracle)

Is there another/better way?

Thanks,

Brian.