Normally, Radiator fetches the user's password attribute from
the LDAP server using the PasswordAttr parameter and
checks the password internally. This optional parameter causes the LDAP
server to check the password instead. This is useful with LDAP servers
that implement proprietary encryption algorithms in their passwords, or do
not provide access to password attribute. For example, Microsoft Active
Directory does not provide read access to password information over
LDAP.
When ServerChecksPassword is specified,
the password checking is performed using an LDAP bind
operation.
Here is an example of using
ServerChecksPassword:
# We are using Active Directory
ServerChecksPassword
CAUTION
ServerChecksPassword is compatible
with PAP, EAP-TTLS/PAP, and other authentication methods that provide a
plain text password. ServerChecksPassword does not
work with CHAP, MSCHAP, and most EAP methods since these do not provide a
password Radiator can use with an LDAP bind operation.
Note
In some cases, using
ServerChecksPassword with
HoldServerConnection may cause failure situations.
This is due to some LDAP servers' behaviour when the password check fails
but the connection is not closed. A failure situation may also occur when
the password check succeeds but the user is not allowed to perform
searches in the server. If your users experience unexpected authentication
failures, try testing your system without using these 2 parameters
together.
