Porting ldap module configuration from 2.2.9 to 3.0.15

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Wed Sep 20 17:46:00 CEST 2017

Hi Olivier, 

Have a look in your authorize section... You should have this in your
authorize section too (*after* the 'pap' line, which should be active):

if (&request:User-Password) {
  update control {
    Auth-Type = ldap

Note that the operator is '=', not ':='. This means that an Auth-Type is
only set when none exists.

The message about the server no longer authenticating cleartext passwords
in the User-Password attribute only refers to entries in the 'users' file
or other backends (such as databases). AFAIK, RADIUS protocol will always
continue to send User-Password, which the PAP module (and others) will
decode based on what they find in it.

Given that your Access-Request packet does contain User-Password, I
suspect it's the fact that you don't set an Auth-Type with unlang that it

V3 is much more powerful and flexible (but stricter).


Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet


Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list