LDAP Search failed due to ldap filter mismatch -> then information "no known good password found for the user"
Thorsten Fritsch
thorsten.fritsch at unibas.ch
Mon Oct 1 11:00:41 CEST 2018
Hi,
last week we have had the problem that FR (3.0.15) Authentications were failing for a user account which was missing a specific LDAP attribute queried by a custom-defined LDAP filter in /freeradius/ldap. A quick LDAP query showed that the filtered attribute was indeed missing.
It was kind of confusing to us that the Radius Debug Log contained the information "no known good password found for the user"
after the information "LDAP Search Returned no results".
The information "LDAP Search Returned no results" was helpful (better would be the more specific information "no ldap filter match" as the account did exist in LDAP - just not for FR as the filter did not match).
It's logical that there is no good password if no user is found - but in my eyes it's a kind of misleading information which could easily lead to the wrong conclusion there must be a problem with the password. I recommend to leave this out if the LDAP search is failing altogether:
(6020) Thu Sep 27 16:04:11 2018: Debug: ldap: Waiting for search result...
(6020) Thu Sep 27 16:04:11 2018: Debug: ldap: Search returned no results
(6020) Thu Sep 27 16:04:11 2018: Debug: [ldap] = notfound
(6020) Thu Sep 27 16:04:11 2018: Debug: reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(6020) Thu Sep 27 16:04:11 2018: Debug: reply_log: --> /var/log/freeradius/radacct/10.33.6.2/reply-detail-20180927<https://deref-gmx.net/mail/client/J4EPcINdIf4/dereferrer/?redirectUrl=http%3A%2F%2F10.33.6.2%2Freply-detail-20180927>
(6020) Thu Sep 27 16:04:11 2018: Debug: reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.33.6.2/reply-detail-20180927<https://deref-gmx.net/mail/client/J4EPcINdIf4/dereferrer/?redirectUrl=http%3A%2F%2F10.33.6.2%2Freply-detail-20180927>
(6020) Thu Sep 27 16:04:11 2018: Debug: reply_log: EXPAND %t
(6020) Thu Sep 27 16:04:11 2018: Debug: reply_log: --> Thu Sep 27 16:04:11 2018
(6020) Thu Sep 27 16:04:11 2018: Debug: [reply_log] = ok
(6020) Thu Sep 27 16:04:11 2018: WARNING: pap: No "known good" password found for the user. Not setting Auth-Type
(6020) Thu Sep 27 16:04:11 2018: WARNING: pap: Authentication will fail unless a "known good" password is available
Thanks,
Thorsten
More information about the Freeradius-Devel
mailing list