Check LDAP password with SHA512

Will W. will at damagesinc.net
Tue Feb 2 21:58:44 CET 2016


LDAP server is already service up for VPN access and all users authenticate
but to clarifiy both user accounts are identical other than username. The only difference I can see is that the bind-user is the user account that is binding the freeradius server to LDAP.
So the bind user can look himself up isn’t really a win as none of the other users in the system can be authenticated.


> On Feb 2, 2016, at 12:54 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Feb 2, 2016, at 3:45 PM, Will W. <will at damagesinc.net> wrote:
>> 
>> it is the radiusd -X out of the radtast here are the fail and success
> 
>  This ends up not being complicated.  Reading the debug output helps.
> 
>> Success
> ...
>> rlm_ldap (ldap) - Bind successful
>> (1)      ldap (updated)
>> (1)      pap - Converted: Password-With-Header -> Crypt-Password
> 
>  That's clear.
> 
>> Fail
> ...
>> (0)      ldap - User object found at DN "uid=user,ou=Users,dc=myhost,dc=com"
>> (0)      ldap - Processing user attributes
>> (0)      ldap - WARNING: No "known good" password added.  Set 'identity' to
>> the dn of an account that has permission to read the user's password
>> attribute
> 
>  If only the server produced useful error messages.
> 
>  This isn't rocket science.  For the "success" case, the user has a password in LDAP.  For the "fail" case, the user doesn't have a password in LDAP.  Or, the user doesn't have permission to read the password.
> 
>  Have you tried checking the user entries in LDAP?
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list