Thibault Le Meur <[EMAIL PROTECTED]> wrote: > * the inner PAP authentication is "processed" by the ldap module in > which I don't need to define which password hashing method is used (I > use at least CRYPT _and_ MD5 in the same directory for historical > reasons)
Version 2.0 has fixes that make it much easier to handle multiple hashing types in the same LDAP database. > * I don't need to have freeradius _read_ the passwords from the > directory: the DN identity defined in the ldap module can only have > auth and read access to radius entries but not to the passwords (which > in my point of view is more secure) If all you're doing is PAP, sure. Most wireless deployments use PEAP, and then people wonder why "bind as user" doesn't work. It's frustrating. > Again, I might not have caught your meaning: Are you saying that in the > future the standards ldap module will be only an authorization module, > and that a new ldap_bind module could be used in the authenticate > section ? I think it's a good idea. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
