[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: CHAP-LDAP PAP-LDAP
From:       Kostas Kalevras <kkalev () noc ! ntua ! gr>
Date:       2002-03-28 9:06:11
[Download RAW message or body]

On Wed, 27 Mar 2002, Michael S. McCollough wrote:

> I noticed in radiusd -X that PAP trys to bind to the ldap directory where
> CHAP appears to do a simple search/read The bind status does not show up in
> the debug. Is there a way to make PAP behave like CHAP with the ldap module?

You would have saved yourself a lot of trouble if you just copied the
configuration I sent in my email. In any case let me explain what is happening.
You have in your authorize section:

authorize {
	chap
	ldap
	files
}

So chap runs first. If it finds out that we have a CHAP request it will set
Auth-Type to CHAP.
After that ldap runs. If Auth-Type has not been set (meaning that we have a PAP
request) it will by default set it to LDAP. So in the case of PAP requests you
end up calling the ldap module for authentication and not the pap module (they
are two different things).
So what you need to do is put files *before* ldap in the authorize section and
set the Auth-Type to PAP if it has not already been set by the chap module with
the following line in the users file:

DEFAULT	Auth-Type = PAP

Notice that we use '=' and not ':='. That way we set Auth-Type to PAP *only* if
it has not already been set.

After that add an authtype PAP section in the authenticate section (I am not
completely sure if it is needed though) like this:

authenticate{
	[bla bla bla other modules]
	authtype PAP {
		pap
	}
}

and everything should work just fine.

--
Kostas Kalevras		Network Operations Center
kkalev@noc.ntua.gr	National Technical University of Athens, Greece
Work Phone:		+30 10 7721861
'Go back to the shadow'	Gandalf




[prev in list] [next in list] [prev in thread] [next in thread]