3.47.10. ServerChecksPassword Previous topic Parent topic Child topic Next topic

Normally, Radiator fetches the user's password attribute from the LDAP server using the PasswordAttr parameter and checks the password internally. This optional parameter causes the LDAP server to check the password instead. This is useful with LDAP servers that implement proprietary encryption algorithms in their passwords, or do not provide access to password attribute. For example, Microsoft Active Directory does not provide read access to password information over LDAP.
When ServerChecksPassword is specified, the password checking is performed using an LDAP bind operation.
Here is an example of using ServerChecksPassword:
# We are using Active Directory
ServerChecksPassword
CAUTION
ServerChecksPassword is compatible with PAP, EAP-TTLS/PAP, and other authentication methods that provide a plain text password. ServerChecksPassword does not work with CHAP, MSCHAP, and most EAP methods since these do not provide a password Radiator can use with an LDAP bind operation.
Note
In some cases, using ServerChecksPassword with HoldServerConnection may cause failure situations. This is due to some LDAP servers' behaviour when the password check fails but the connection is not closed. A failure situation may also occur when the password check succeeds but the user is not allowed to perform searches in the server. If your users experience unexpected authentication failures, try testing your system without using these 2 parameters together.