On Mon, 2018-10-01 at 09:00 +0000, Thorsten Fritsch wrote:
It's logical that there is no good password if no user is found - but in my eyes it's a kind of misleading information which could easily lead to the wrong conclusion there must be a problem with the password. I recommend to leave this out if the LDAP search is failing altogether:
The LDAP message comes from the LDAP module. The "no known good password" message comes from the PAP module. Neither module knows anything about any of the modules that come before or after it, and the PAP module could have been supplied a password from many other modules. So for example you run rlm_ldap, then rlm_sql, then rlm_files to try and find a password, then rlm_pap to check the password. rlm_pap can use a password that any of the previous modules found. If there isn't a password, there's not much it can do apart from say "I can't find a password". -- Matthew