Sigh. We just went over this last week in the LEAP+LDAP thread. If you use the "password_attribute" setting in LDAP, it takes whatever value it gets from that attribute to be the password. This breaks anything that requires ntPassword.
So, for doing CHAP, If you have both userPassword and ntPassword defined for a given dn, the userPassword is prefered, unless it is not specified with the password_attribute, then the ntPassword will be used. If the userPassword has anything other than the cleartext password in it, then CHAP will not work. I'd say your best bet would be 2 LDAP instances, one for PAP that specifies "password_attribute=userPassowrd" (or whatever is correct for your implementation), and then a different one for CHAP that does not specify "password_attribute", and will then use the ntPassword attribute. To select from different auth sources (ie: 2 LDAP intances), look at doc/Autz-Type. In fact, this exact situation is describe with 2 ldap instances in that file. -Matt MNU Internet System Administrator MNU Network Security Administrator --- Original Message Below --- From: "Lai Fu Keung" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: PAP authentication with LDAP Date: Mon, 27 Oct 2003 16:11:49 +0800 On 24 Oct 2003 at 11:41, Kostas Kalevras wrote: > > I read the document that MS-CHAP can also use NT-Password. So I am > > thinking to have PAP to use crypted userPassword and MS-CHAP to use > > an encoded NT-Password eventually. Is it feasible? > > Yes. Check the recent thread on 'NT passwords and LEAP' Sorry, a bit loss on how this can be done. Is it possible to have the userPassword and NT-Password in the same DN in LDAP? In LDAP module configuration, what value should I specify for "password_attribute"? Or should I create 2 instances of LDAP modules (in 'modules' section), each specifying 2 different password attributes? How will each authentication protocol (PAP, MS_CHAP, e.g) then point to different LDAP modules to bind the corresponding passwords? Lai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
