On Thu, 21 Mar 2002, Mike Cathey wrote: > Chris, > > > Chris Parker wrote: > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: > > > >> Chris, > >> > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's the > >> auth code) supports 2 menthods of LDAP auth. One method attempts to > >> bind to the directory as the user, which is what it sounds like > >> FreeRADIUS does. The other methold is to bind to the directory as a > >> privileged user (one who has access to all user attributes), crypt > >> what the client handed you and compare it to userPassword. > > > > > > The client hands you an already ( and non-reversable ) encrypted string. > > Encrypting it a second time will yield nothing useful. > > > >> I may be possible to implement the second method in FreeRADIUS and use > >> it for LDAP/CHAP auth. Comments? > > > > > > The only way to perform CHAP authentication is for the server to have > > access to the unecrypted password locally. > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just > pointing out the method of binding as a privileged user (a user who has > rights to access the userPassword attribute for the RADIUS users). You > can then get the value of userPassword and send the 'challenge' back to > the proxy. I haven't read docs on CHAP in a while, but it seems like > this would work ok. Of course, this assumes you store all of your users > passwords in plain text. > > Cheers, > > Mike
It's already supported. Please read the FAQ at http://www.freeradius.org/faq/#5.11 and doc/rlm_ldap -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
