Thanks, I got it working. Is there a reason that the ldap search that rlm_ldap performs functions differently from ldapsearch? With ldapsearch I can do a search without specifying an OU but with rlm_ldap, it fails? I do not have control of the Active Directory server here so I cannot apply the dsHeuristics setting as specified in the rlm_ldap docs. -----Original Message----- From: freeradius-users-bounces+w.segura=f5.com@lists.freeradius.org [mailto:freeradius-users-bounces+w.segura=f5.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, January 18, 2008 1:05 AM To: FreeRadius users mailing list Subject: Re: Freeradius +LDAP + Active Directory + Authenticate Only questions William Segura wrote:
I am trying to setup Freeradius to authenticate against an active directory server.
Only "bind as user" will work, and even then not always.
Here are the relevant files:
Please do not post configuration files to the list.
Radius Log: ... rad_recv: Access-Request packet from host 127.0.0.1:35655, id=159, length=58 User-Name = "user1" User-Password = "\204\016V\332\226\325\007\347\254Hm\262}B\321M"
Your shared secret is wrong. Fix it.
modcall[authorize]: module "preprocess" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0
You have re-ordered the modules in the "authorize" section. Why? Do you understand what the PAP module does?
rlm_ldap: Bind failed with invalid credentials
Because the password was wrong. The password *should* be visible in debugging mode. It should NOT be binary garbage.
auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS!
Perhaps this message might be useful. Did you read it? Did you follow it's instructions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html