rlm_pap

Synopsis

The pap module performs authentication for Access-Request requests that contain a User-Password attribute.

The module accepts a large number of formats for the "known good" password, such as crypt passwords, md5 passwords, and etc. The module takes the User-Password and performs the necessary calculations to verify it against the "known good" password.

The module will look at the Password-With-Header attribute and will decode it to the correct form. It will also automatically handle base-64 encoded data, hex strings, and binary data. It will try to normalize any input attribute it sees in order to authenticate the user.

For instructions on creating the various types of passwords, see the LDAP FAQ.

Table 1. Headers understood by Password-With-Header
Header Attribute

{base64_md5}

MD5-Password

{clear}

Cleartext-Password

{cleartext}

Cleartext-Password

{crypt}

Crypt-Password

{md5}

MD5-Password

{ns-mta-md5}

NS-NTA-MD5-Password

{nt}

NT-Password

{nthash}

NT-Password

{smd5}

SMD5-Password

{sha2}

SHA2-Password

{sha384}

SHA2-Password

{sha256}

SHA2-Password

{sha512}

SHA2-Password

{sha}

SHA-Password

{ssha}

SSHA-Password

{ssha224}

SSHA-224-Password

{ssha256}

SSHA-256-Password

{ssha384}

SSHA-384-Password

{ssha512}

SSHA-512-Password

{x-nthash}

NT-Password

{x-orcllmv}

LM-Password

{x-orclntv}

NT-Password

Processing Sections

authorize

When listed in the authorize section, the pap module will look for a User-Password attribute. If one is found, and no Auth-Type or Proxy-To-Realm attribute is set, the module will set Auth-Type := pap.

Return codes

noop The module detected that PAP authentication could not be performed and did nothing.

updated The module detected that PAP authentication could be performed and set Auth-Type := PAP.

authenticate

When listed in the authenticate section, the pap module will perform PAP authentication.

Return codes

invalid The administrator erroneously set Auth-Type := PAP. The module is unable to perform PAP authentication.

fail No "known good" password was found. The module is unable to perform PAP authentication.

reject The user failed authentication.

ok The user succeeded in authenticating.

Expansions

None.

Directives

normalize
Syntax

normalize = boolean

Default

yes

Description