Question about LDAP authentication
Alan DeKok
aland at deployingradius.com
Wed Jul 25 14:37:08 CEST 2018
On Jul 25, 2018, at 8:20 AM, Petit, Benoit <b.petit at bell.ca> wrote:
> I have a quick question about LDAP authentication. The radius authentication is working but when I check the logs in debug mode I get a warning concerning LDAP. I'm wondering if this warning is important and how I can get ride of it. I put the ldap auth in the /raddb/sites-available/default file but the following warning keeps coming back, even tough the user's attributes are passed:
>
> radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 11 2017 at 04:40:14
You really do need to upgrade to 2.2.10. It's 100% configuration compatible with 2.2.6, and contains a number of security fixes and bug fixes.
> [ldap] radiusClass -> Class = 0x61646d696e
> WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You're probably using Active Directory. Or, the admin user doesn't have permission to read the users password, and you're doing "bind as user".
> [ldap] Setting Auth-Type = LDAP
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
>
> The logs then continue
... and explain *why* you're getting an Access-Accept. Reading them will be helpful.
> and I receive an Accept-Accept for the session. Is this warning relevant and how can I get rid of it?
The warning is there because many people configure LDAP and FreeRADIUS incorrectly, and get Access-Reject. Then, wonder why it happened.
Well, the message is there to tell them the likely source of the error.
If you're getting Access-Accept, it's fine. And the only way to get rid of the message is editing the source code. Which you don't want to do.
And it's only a warning. It's not an error. It can be safely ignored.
Alan DeKok.
More information about the Freeradius-Users
mailing list