UPN for AD authentication

R3DNano r3dnano at gmail.com
Tue Jun 2 16:18:36 CEST 2020

Ok, I configured the LDAP module, the user is found using
"userPrincipalName" filter, however, now I get an error message: "ldap:
WARNING: No "known good" password added. Ensure the admin user has
permission to read the password attribute" - and the authentication fails.

At first, I thought for some reason, FreeRADIUS was not getting the
supplicant's password, but after some search, I understood this happens due
to the user performing the LDAP bind not having enough rights to see

however, I'm using the same user as I was using with the bind option, while
using SAM instead of UPN and at the time, the user "seemed" able to read
passwords.... at least, it was authenticating properly.

BTW, is it normal for the bind messages :

rlm_ldap (ldap): Connecting to ldap://xxx.xxx.xxx.xxx:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful

To appear AFTER the "User object found" one?

Am I missing anything?

On Tue, 2 Jun 2020 at 12:28, R3DNano <r3dnano at gmail.com> wrote:

> Thanks for your reply, Alan
> I've been reading some documentation and I guess I'm on the wrong path: I
> got everything working with winbind but, as far as I understood, this only
> works with SAM, and there's no (simple) way of doing UPN unless I switch to
> LDAP module, so I think I'll go down this path and see how it goes.
> Thanks!
> On Fri, 29 May 2020, 14:57 Alan DeKok, <aland at deployingradius.com> wrote:
>> On May 29, 2020, at 5:46 AM, R3DNano <r3dnano at gmail.com> wrote:
>> >
>> > AFAIK, when I authenticate my users via ntlm_auth (samba AD bnind,
>> etc...,
>> > not the LDAP module, as suggested by the docu), account names in SAM are
>> > used instead of UPN (please, correct me if I'm wrong)
>>   You use whatever AD allows.  See the AD documentation for how AD works.
>> > Is it possible to use UPN instead?
>>   Some people do.  See the AD docs.
>> > What drawbacks can we have if we do this?
>>   The format of user names doesn't matter to FreeRADIUS.  So the only
>> issues are elsewhere.
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list