Sorry, I had read the thread and could not identify what was going on. I got it now.
The information below is VERY helpful. Thanks very much. Lai On 27 Oct 2003 at 2:27, Matt Sapp wrote: > Sigh. We just went over this last week in the LEAP+LDAP thread. If > you use the "password_attribute" setting in LDAP, it takes whatever > value it gets from that attribute to be the password. This breaks > anything that requires ntPassword. > So, for doing CHAP, If you have both userPassword and ntPassword > defined for a given dn, the userPassword is prefered, unless it is not > specified with the password_attribute, then the ntPassword will be > used. If the userPassword has anything other than the cleartext > password in it, then CHAP will not work. > > I'd say your best bet would be 2 LDAP instances, one for PAP that > specifies "password_attribute=userPassowrd" (or whatever is correct > for your implementation), and then a different one for CHAP that does > not specify "password_attribute", and will then use the ntPassword > attribute. > > To select from different auth sources (ie: 2 LDAP intances), look at > doc/Autz-Type. In fact, this exact situation is describe with 2 ldap > instances in that file. > > -Matt MNU Internet System Administrator MNU Network Security > Administrator > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
