Entelin <[EMAIL PROTECTED]> wrote: > Its using CHAP, I have read a bunch about all this and know > that CHAP requires the passwords to be stored as plaintext. Indeed my > configuration works fine if I change the ldap password to plaintext. > However I would really rather not have all my passwords stored this way.
Then don't use CHAP. > All my users in ldap have perms to read themselves, is it possible to > have freeradius to permit baised on if a rebind as the user succeeds?. Uh... the server already does that, if you set Auth-Type := LDAP. > first freeradius binds as the admin and searches for the dn of the > supplied uid. gets the dialupAllow attribute. > > then rebinds as the dn and password, if the bind is successfull and the > dialupAllow attribute exists then radius allows access. The server does that already. Authorize, then authenticate. > This behavior removes the stored encryption from the equation. No, because the password used to authenticate doesn't exist. The server only has a CHAP password, which the LDAP server won't accept. > Looking at the debug info, it looks like thats whats happening when > you do a radiustest (which works) on it anyway? Exactly. So what's the problem? You've just described how you want the server to work, which is exactly how the server currently works. If you want CHAP to work with LDAP, you MUST store the plain-text password in LDAP, and then let the server use that to do the CHAP authentication itself. The LDAP module then does NOT authenticate the user, and the user does NOT bind to the LDAP server. Stop trying to work around CHAP. You can't. IT was designed to require a plain-text password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
