Daniel Gomes wrote: > Well, as I mentioned (a couple of times now), the LDAP server was indeed > returning a password to FreeRADIUS, since radtest was always working > fine.
No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do "bind as user". That is, it hands the username && password to the LDAP server, and asks "are these OK"? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. > So the problem wasn't in the LDAP server itself, because it does > "return a password when an LDAP client queries it for a password" (as I > also mentioned it, we are currently and successfully using it to > authenticate other services).\ Using PAP passwords. > The problem was really related to MS-CHAP, > and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem && solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
