LDAP + SASL Freeradius 3.0.11

Danner, Mearl jmdanner at samford.edu
Fri May 6 20:52:12 CEST 2016



> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-
> bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of
> Matthew Beckler
> Sent: Friday, May 06, 2016 1:15 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: LDAP + SASL Freeradius 3.0.11
> 
> 
> ________________________________
> From: Danner, Mearl <jmdanner at samford.edu>
> Sent: Thursday, May 5, 2016 7:46 PM
> To: freeradius-users at lists.freeradius.org
> Subject: RE: LDAP + SASL Freeradius 3.0.11
> 
> > Sometimes cn is not equal to samaccountname.
>  I have verified the cn is identical to the samaccountanem. I even renamed
> the account to make sure it was correct.
> 
> > In ad cn is a multivalued attribute. Make sure that the user only has one
> value in cn and use that value.
> I have verified this as well.
> 
> I think 52e return specifically means invalid password from my research. It
> means username valid password/credential invalid.
> 
> I wonder if something is happening to the password before it gets sent. I
> turned commented out sasl mech and did a tcpdump and the password
> looked correct in the packet.
> 
> Also I did tcpdump both with running ldapsearch that worked and freeradius
> -X  that did not and from what is human readable in the capture is very
> similar.
> 
> 

Can't think of much more. Have you tried the ldapsearch without SASL i.e.:

Ldapsearch -x -h host -b basedn -D binddn -W

> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list