> I'm a little confused by how rlm_ldap is handing passwords. First let me > state what I believe to be true, if I'm wrong on any of these > assumptions please correct me.
They are, sort of, correct. > Or am I just missing something? You are looking at rlm_ldap in isolation. rlm_pap will "handle" these "bugs". > It seems to be there are three bugs: > > 1) inserting PW_USER_PASSWORD into config instead of PW_CLEARTEXT_PASSWORD That will happen in rlm_pap (which should always be listed in authorize). > 2) not documenting auto_header It's documented in rlm_pap. You are supposed to use that setting, not the one in rlm_ldap (I think that one is there for historical reasons). > 3) if auto_header is enabled not defaulting to clear text if no prefix > is supplied. Again, that will happen in rlm_pap. I believe that things are done this way in rlm_ldap because that code is from the time when User-Password was used as password configuration attribute. I am sure Alan will have a good explanation why is rlm_ldap left creating the User-Password attribute on the control list which then rlm_pap converts into appropriate password attribute. My guess is to avoid code duplication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html