I am probably just dense but either the faq is incomplete or I cannot translate to suit my needs. I cannot even get chap to work with Auth-Type :=system I need it to work with ldap. Once key point may be CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I remember log time ago when chap was proposed, ms did their own version. Since the MS version became the defacto standard, I am not sure is ms-chap and chap are used interchangably.
>From radiusd -X rlm_ldap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". I need CHAP to work with LDAP but would be happy to see it work with system auth just to know it works. -- Michael -----Original Message----- From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 2:09 PM To: [EMAIL PROTECTED] Subject: Re: CHAP-Password & LDAP Auth? On Thu, 21 Mar 2002, Mike Cathey wrote: > Chris, > > > Chris Parker wrote: > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: > > > >> Chris, > >> > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's > >> the auth code) supports 2 menthods of LDAP auth. One method > >> attempts to bind to the directory as the user, which is what it > >> sounds like FreeRADIUS does. The other methold is to bind to the > >> directory as a privileged user (one who has access to all user > >> attributes), crypt what the client handed you and compare it to > >> userPassword. > > > > > > The client hands you an already ( and non-reversable ) encrypted > > string. Encrypting it a second time will yield nothing useful. > > > >> I may be possible to implement the second method in FreeRADIUS and > >> use it for LDAP/CHAP auth. Comments? > > > > > > The only way to perform CHAP authentication is for the server to > > have access to the unecrypted password locally. > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just > pointing out the method of binding as a privileged user (a user who > has rights to access the userPassword attribute for the RADIUS users). > You can then get the value of userPassword and send the 'challenge' > back to the proxy. I haven't read docs on CHAP in a while, but it > seems like this would work ok. Of course, this assumes you store all > of your users passwords in plain text. > > Cheers, > > Mike It's already supported. Please read the FAQ at http://www.freeradius.org/faq/#5.11 and doc/rlm_ldap -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
