Chris,
Chris Parker wrote: > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: > >> Chris, >> >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's the >> auth code) supports 2 menthods of LDAP auth. One method attempts to >> bind to the directory as the user, which is what it sounds like >> FreeRADIUS does. The other methold is to bind to the directory as a >> privileged user (one who has access to all user attributes), crypt >> what the client handed you and compare it to userPassword. > > > The client hands you an already ( and non-reversable ) encrypted string. > Encrypting it a second time will yield nothing useful. > >> I may be possible to implement the second method in FreeRADIUS and use >> it for LDAP/CHAP auth. Comments? > > > The only way to perform CHAP authentication is for the server to have > access to the unecrypted password locally. Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just pointing out the method of binding as a privileged user (a user who has rights to access the userPassword attribute for the RADIUS users). You can then get the value of userPassword and send the 'challenge' back to the proxy. I haven't read docs on CHAP in a while, but it seems like this would work ok. Of course, this assumes you store all of your users passwords in plain text. Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
