Norbert Wegener wrote: >> Yes... because you are telling the server what the clear-text password >> is supposed to be. If you tell the server TWICE, it will say OK twice. >> > Telling it twice in a check item?
Yes. You told the server what the "known good" password was. > Please correct me, but my understanding of check items has been, that > they have to be in the the access request to match an entry. No. Read "man users", or the comments at the top of the "users" file. The check items hold BOTH the comparison against the original password, AND the instructions for how the server should behave. This is BROKEN, because it confuses people. 2.0 has a more complex configuration. But it's a LOT easier to understand why it works. > The clear-text password is not in the original request. It is added > during the processing of that request via ldap. Yes. So? > Depending on that value an entry of the users file should match. No. Read "man users". Cleartext-Password is a configuration attribute. It is NOT an attribute that goes into a packet. In 2.0.0-pre2, see "man unlang". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
