-----Original Message----- From: Freeradius-Users [mailto:freeradius-users- bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of Matthew Beckler Sent: Friday, May 06, 2016 1:15 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP + SASL Freeradius 3.0.11
________________________________ From: Danner, Mearl <jmdanner@samford.edu> Sent: Thursday, May 5, 2016 7:46 PM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP + SASL Freeradius 3.0.11
Sometimes cn is not equal to samaccountname. I have verified the cn is identical to the samaccountanem. I even renamed the account to make sure it was correct.
In ad cn is a multivalued attribute. Make sure that the user only has one value in cn and use that value. I have verified this as well.
I think 52e return specifically means invalid password from my research. It means username valid password/credential invalid.
I wonder if something is happening to the password before it gets sent. I turned commented out sasl mech and did a tcpdump and the password looked correct in the packet.
Also I did tcpdump both with running ldapsearch that worked and freeradius -X that did not and from what is human readable in the capture is very similar.
Can't think of much more. Have you tried the ldapsearch without SASL i.e.: Ldapsearch -x -h host -b basedn -D binddn -W
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html