I have an openldap server populated with about 300 users, all have MD5 passwords. Ive got a cisco AS5200 router that is hosting one 24 channel PRI line. Its using CHAP, I have read a bunch about all this and know that CHAP requires the passwords to be stored as plaintext. Indeed my configuration works fine if I change the ldap password to plaintext. However I would really rather not have all my passwords stored this way. All my users in ldap have perms to read themselves, is it possible to have freeradius to permit baised on if a rebind as the user succeeds?.
for example. first freeradius binds as the admin and searches for the dn of the supplied uid. gets the dialupAllow attribute. then rebinds as the dn and password, if the bind is successfull and the dialupAllow attribute exists then radius allows access. This behavior removes the stored encryption from the equation. Looking at the debug info, it looks like thats whats happening when you do a radiustest (which works) on it anyway? This is also how qmail-ldap handels its authentication. Thanks for the help :) -- Entelin <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html