LDAP server is already service up for VPN access and all users authenticate but to clarifiy both user accounts are identical other than username. The only difference I can see is that the bind-user is the user account that is binding the freeradius server to LDAP. So the bind user can look himself up isn’t really a win as none of the other users in the system can be authenticated.
On Feb 2, 2016, at 12:54 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 2, 2016, at 3:45 PM, Will W. <will@damagesinc.net> wrote:
it is the radiusd -X out of the radtast here are the fail and success
This ends up not being complicated. Reading the debug output helps.
Success ... rlm_ldap (ldap) - Bind successful (1) ldap (updated) (1) pap - Converted: Password-With-Header -> Crypt-Password
That's clear.
Fail ... (0) ldap - User object found at DN "uid=user,ou=Users,dc=myhost,dc=com" (0) ldap - Processing user attributes (0) ldap - WARNING: No "known good" password added. Set 'identity' to the dn of an account that has permission to read the user's password attribute
If only the server produced useful error messages.
This isn't rocket science. For the "success" case, the user has a password in LDAP. For the "fail" case, the user doesn't have a password in LDAP. Or, the user doesn't have permission to read the password.
Have you tried checking the user entries in LDAP?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html