Freeipa and Freeradius integration
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Apr 13 15:59:06 CEST 2015
> "uid=user,cn=users,cn=compat,dc=companyname,dc=local"
> (0) ldap : Processing user attributes
> (0) WARNING: ldap : No "reference" password added. Ensure the admin
> user has permission to read the password attribute
> (0) WARNING: ldap : PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (4)
> rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
> (0) [ldap] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) WARNING: pap : No "known good" password found for the user. Not
> setting Auth-Type.
> (0) WARNING: pap : Authentication will fail unless a "known good"
> password is available.
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> ===============================================================
>
> Can FreeRadius handle this type of userPassword (since it seems to be hashed)?
Yes, though you should map it to control:Password-With-Header, and run the pap module
after the ldap module.
At this point it's probably time to break out wireshark and look at the requests/responses
you'll probably find that the LDAP server still isn't sending back a value for that
attribute.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150413/8485d949/attachment.sig>
More information about the Freeradius-Users
mailing list