#  -*- text -*-
#
#
#  $Id: 768dad502fb9a2fadc1fe2db27fa19a006173227 $

#######################################################################
#
#  = PAP Module
#
#  The `pap` module accepts a large number of formats for the _known good_ (reference)
#  password, such as crypt hashes, md5 hashes, and etc.
#  The module takes the `User-Password` and performs the necessary transformations of the
#  user submitted password to match the copy of the password the server has retrieved.
#
#  For instructions on creating the various types of passwords,
#  see http://www.openldap.org/faq/data/cache/347.html
#
#  The module looks for the `Password.With-Header` control attribute to find
#  the *"known good" password*. The attribute value comprises the header followed
#  immediately by the password data. The header is given by the following table.
#
#  [options="header,autowidth"]
#  |===
#  | Header       | Attribute           | Description
#  | {clear}      | Password.Cleartext  | Clear-text passwords.
#  | {cleartext}  | Password.Cleartext  | Clear-text passwords.
#  | {crypt}      | Password.Crypt      | Unix-style "crypt"ed passwords.
#  | {md5}        | Password.MD5        | MD5 hashed passwords.
#  | {base64_md5} | Password.MD5        | MD5 hashed passwords.
#  | {smd5}       | Password.SMD5       | MD5 hashed passwords, with a salt.
#  | {sha}        | Password.SHA        | SHA1 hashed passwords.
#  |              | Password.SHA1       | SHA1 hashed passwords.
#  | {ssha}       | Password.SSHA       | SHA1 hashed passwords, with a salt.
#  | {sha2}       | Password.SHA2       | SHA2 hashed passwords.
#  | {sha224}     | Password.SHA2       | SHA2 hashed passwords.
#  | {sha256}     | Password.SHA2       | SHA2 hashed passwords.
#  | {sha384}     | Password.SHA2       | SHA2 hashed passwords.
#  | {sha512}     | Password.SHA2       | SHA2 hashed passwords.
#  | {ssha224}    | Password.SSHA2-224  | SHA2 hashed passwords, with a salt.
#  | {ssha256}    | Password.SSHA2-256  | SHA2 hashed passwords, with a salt.
#  | {ssha384}    | Password.SSHA2-384  | SHA2 hashed passwords, with a salt.
#  | {ssha512}    | Password.SSHA2-512  | SHA2 hashed passwords, with a salt.
#  | {ssha3}      | Password.SHA3       | SHA3 hashed passwords.
#  | {ssha3-224}  | Password.SHA3-224   | SHA3 hashed passwords, with a salt.
#  | {ssha3-256}  | Password.SHA3-256   | SHA3 hashed passwords, with a salt.
#  | {ssha3-384}  | Password.SHA3-384   | SHA3 hashed passwords, with a salt.
#  | {ssha3-512}  | Password.SHA3-512   | SHA3 hashed passwords, with a salt.
#  | {nt}         | Password.NT         | Windows NT hashed passwords.
#  | {nthash}     | Password.NT         | Windows NT hashed passwords.
#  | {md4}        | Password.NT         | Windows NT hashed passwords.
#  | {x-nthash}   | Password.NT         | Windows NT hashed passwords.
#  | {ns-mta-md5} | Password.NS-MTA-MD5 | Netscape MTA MD5 hashed passwords.
#  | {x- orcllmv} | Password.LM         | Windows LANMAN hashed passwords.
#  | {X- orclntv} | Password.NT         | Windows NT hashed passwords.
#  |===
#
#  The module tries to be flexible when handling the various password for mats.
#  It will automatically handle Base-64 encoded data, hex strings, and binary data,
#  and convert them to a format that the server can  use.
#
#  If there is no `Password.With-Header` attribute, the module looks for one
#  of the `Password.Cleartext`, `Password.NT`, `Password.Crypt`, etc. attributes
#  as listed in the above table. These attributes should contain the relevant
#  format password directly, without the header prefix.
#
#  Only one control attribute should be set, otherwise the behaviour is undefined
#  as to which one is used for authentication.
#
#  NOTE: It is important to understand the difference between the `User-Password`
#  and `Password.Cleartext` attributes. The `Password.Cleartext` attribute is
#  the  *"known  good"* password for the user. Simply supplying the `Password.Cleartext`
#  to the server will result in most authentication methods working. The `User-Password`
#  attribute is the password as typed in by the user on their private machine.
#  The two are not the  same, and should be treated very differently. That is, you should
#  generally not use the `User-Password` attribute anywhere in the RADIUS configuration.
#
#  ## Configuration Settings
#
pap {
	#
	#  normalise::
	#
	#  By default the server will use heuristics to try and automatically
	#  handle base64 or hex encoded passwords. This behaviour can be
	#  stopped by setting the following to `no`.
	#
	#  The default is `yes`
	#
#	normalise = no

	#
	#  password_attribute:: Which attribute in the request should be used as
	#  the user's password when performing PAP authentication.
	#
#	password_attribute = &User-Password
}
