Using existing NTLM hashes

Arran Cudbard-Bell a.cudbardb at
Thu Sep 21 10:47:27 CEST 2017

rlm_ldap no longer strips off password headers (as it did in v2).

{ntlm} is not a supported header. It doesn't to any kind of hashing scheme, you need to use nt or nthash.

You can use rlm_pap to do password normification only, by listing it after ldap, but before mschap/eap in the authorize section of the inner tunnel server, then removing any references to the pap module in the authenticate section of the inner tunnel server.

rlm_pap will process any Password-With-Header attributes, converting them into the correct attribute and adding them to the control list.

We should probably move this out into a separate module in v4, but that's the way it's done for v3.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list