All, I can use your help. I am trying to set up freeradius on my RHEL IDM/freeipa server. A mail [0] from the freeipa list indicated that this would be easy, but I think I am missing one step. So far, freeradius can find the user in ldap ("User object found at DN "uid=username,cn=users,cn=compat,dc=companyname,dc=local"). It just does not seem to be able to verify if the pass word is correct. What steps do I need to take? I am just trying to figure this out, I don't have a guide or anything. I have uploaded my radiusd.conf [ http://pastebin.com/GijucMps ], my mods-available/ldap [ http://pastebin.com/YJTi8srS ] and sites-available/ldap [ http://pastebin.com/MMGzU8Sj ]. All help is welcome. Is is probably something easy. This is the log I get: ============================================================ (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'klu' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "klu", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=klu)' (0) ldap : expand: "dc=kahuna,dc=local" -> 'dc=kahuna,dc=local' (0) ldap : Performing search in 'dc=kahuna,dc=local' with filter '(uid=klu)' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=klu,cn=users,cn=compat,dc=kahuna,dc=local" (0) ldap : Processing user attributes (0) WARNING: ldap : No "reference" password added. Ensure the admin user has permission to read the password attribute (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type. (0) WARNING: pap : Authentication will fail unless a "known good" password is available. (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user. (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : expand: "%{User-Name}" -> 'klu' (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Finished request 0. ============================================================ [0] https://www.redhat.com/archives/freeipa-users/2008-October/msg00036.html Thanks!