Ok, I configured the LDAP module, the user is found using "userPrincipalName" filter, however, now I get an error message: "ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute" - and the authentication fails. At first, I thought for some reason, FreeRADIUS was not getting the supplicant's password, but after some search, I understood this happens due to the user performing the LDAP bind not having enough rights to see passwords... however, I'm using the same user as I was using with the bind option, while using SAM instead of UPN and at the time, the user "seemed" able to read passwords.... at least, it was authenticating properly. BTW, is it normal for the bind messages : rlm_ldap (ldap): Connecting to ldap://xxx.xxx.xxx.xxx:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful To appear AFTER the "User object found" one? Am I missing anything? On Tue, 2 Jun 2020 at 12:28, R3DNano <r3dnano@gmail.com> wrote:
Thanks for your reply, Alan I've been reading some documentation and I guess I'm on the wrong path: I got everything working with winbind but, as far as I understood, this only works with SAM, and there's no (simple) way of doing UPN unless I switch to LDAP module, so I think I'll go down this path and see how it goes.
Thanks!
On Fri, 29 May 2020, 14:57 Alan DeKok, <aland@deployingradius.com> wrote:
On May 29, 2020, at 5:46 AM, R3DNano <r3dnano@gmail.com> wrote:
AFAIK, when I authenticate my users via ntlm_auth (samba AD bnind,
etc...,
not the LDAP module, as suggested by the docu), account names in SAM are used instead of UPN (please, correct me if I'm wrong)
You use whatever AD allows. See the AD documentation for how AD works.
Is it possible to use UPN instead?
Some people do. See the AD docs.
What drawbacks can we have if we do this?
The format of user names doesn't matter to FreeRADIUS. So the only issues are elsewhere.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html