UPN for AD authentication

Alan DeKok aland at deployingradius.com
Tue Jun 2 16:23:49 CEST 2020

On Jun 2, 2020, at 10:18 AM, R3DNano <r3dnano at gmail.com> wrote:
> Ok, I configured the LDAP module, the user is found using
> "userPrincipalName" filter, however, now I get an error message: "ldap:
> WARNING: No "known good" password added. Ensure the admin user has
> permission to read the password attribute" - and the authentication fails.


> At first, I thought for some reason, FreeRADIUS was not getting the
> supplicant's password, but after some search, I understood this happens due
> to the user performing the LDAP bind not having enough rights to see
> passwords...

  No, it's because AD won't send passwords over an LDAP query.  This is well documented.

  If the packet contains a User-Password attribute, you can "bind as user" to AD, and it will work.  For MS-CHAP, however, you must use ntlm_auth or winbind.  That's how it works.

> however, I'm using the same user as I was using with the bind option, while
> using SAM instead of UPN and at the time, the user "seemed" able to read
> passwords.... at least, it was authenticating properly.

  Because it was using PAP.  Read the debug output.

> BTW, is it normal for the bind messages :
> rlm_ldap (ldap): Connecting to ldap://xxx.xxx.xxx.xxx:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> To appear AFTER the "User object found" one?

  It depends.  If you just show 3 lines of debug output, I have no idea what else it's doing, or what it's configured to do.

  But yes, generally FreeRADIUS "does the right thing".  There's no magical setting which says "do stupid things".

  Alan DeKok.

More information about the Freeradius-Users mailing list