More comments on EAP and LDAP, in the naive hope that people

	will read them.

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 150e444..d479d14 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -712,10 +712,24 @@ $INCLUDE ${confdir}/eap.conf
        # Lightweight Directory Access Protocol (LDAP)
        #
        #  This module definition allows you to use LDAP for
-       #  authorization and authentication (Auth-Type := LDAP)
+       #  authorization and authentication.
        #
        #  See doc/rlm_ldap for description of configuration options 
        #  and sample authorize{} and authenticate{} blocks 
+       #
+       #  This may be news to many people, but LDAP servers don't
+       #  understand EAP.  If you force "Auth-Type = LDAP", and then
+       #  send the server a request containing EAP authentication,
+       #  then it WILL NOT WORK.
+       #
+       #  The solution is to use the default configuration, which DOES
+       #  work.  In general, setting "Auth-Type = LDAP" is ALMOST ALWAYS
+       #  WRONG.  We really can't emphasize this enough.
+       #
+       #  Note that Active Directory is *not* a real LDAP server.  In
+       #  order to authenticate users in Active Directory, you have
+       #  to use ntlm_auth.  See the "mschap" module, above, for details.
+       #       
        ldap {
                server = "ldap.your.domain"
                # identity = "cn=admin,o=My Org,c=UA"