Stefan Winter wrote: >>I've got LDAP working for PAP queries, but CHAP comes back with the >>"rlm_chap: Could not find clear text password". >> >> > >AD and LDAP-mode don't work together. The AD server will not give away the >user's attribute. If you want CHAP to work, you will need to use ntlm_auth. > > Thanks for the responses guys.
Unfortunately I need to support CHAP because it is used by an external global Dial-Up provider which the freeradius machine is authenticating for. The whole idea of using LDAP was because the machine was in the DMZ, and LDAP would allow us to lock it down more by only allowing the bind user access to certain parts of the AD tree. If I use ntlm_auth, the box will have to be joined to the domain (from my understanding) - wouldn't this represent quite a big security risk? Will ntlm_auth also do PAP (used by another provider authenticating against the server) where the password is in clear-text? > There's also a great tutorial on the topic, which is >referenced here quite often by Charles Schwartz, see the archives for that >one as well. > > It's at http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf I believe (for anyone else which wants to have a look). Thanks, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
