On Fri, Apr 10, 2015 at 6:15 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Problem is I still get:
(0) WARNING: ldap : No "reference" password added. Ensure the admin user has permission to read the password attribute (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
How can I test if the password is correct? And are there references I can use (maybe a good general "Freeradius-ldap" guide?). Thanks so
You need to check if ldapsearch returns the userPassword attribute when bound with the credentials you configured for FR.
The server is warning you that you had a mapping between an LDAP attribute, and a RADIUS attribute it knows is used to store the users password, but that the mapping was skipped because the LDAP server didn't return a value for that attribute.
Thanks so far, this helps. I tested and it indeed turned out I did not receive the userPassword attribute. I do get something like it back using `identity = "cn=Directory Manager"`, so I am using that now. Doing a ldapsearch gives me: [user@auth1 ~]$ ldapsearch -x -v -W -D 'cn=Directory Manager' uid=user | grep userP ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: uid=user requesting: All userApplication attributes userPassword:: e1NTS***************************************************************UE9PQ= userPassword is base64 encoded. Doing a base64 -d gives me "{SSHA}a3By*******************8kwtali5aA". Radius output is: =============================================================== (0) ldap : expand: "dc=companyname,dc=local" -> 'dc=companyname,dc=local' (0) ldap : Performing search in 'dc=companyname,dc=local' with filter '(uid=user)' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=user,cn=users,cn=compat,dc=companyname,dc=local" (0) ldap : Processing user attributes (0) WARNING: ldap : No "reference" password added. Ensure the admin user has permission to read the password attribute (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type. (0) WARNING: pap : Authentication will fail unless a "known good" password is available. (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject =============================================================== Can FreeRadius handle this type of userPassword (since it seems to be hashed)? Thanks, /kl