Question: How can I fix my configuration as I am getting No “known good” password Warning? This is what I have done: I have enabled LDAP in /etc/raddb/sites-enabled/default -ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } Created a symbolic line for ldap under /etc/raddb/mods-enabled/ldap ldap { # Note that this needs to match the name(s) in the LDAP server # certificate, if you're using ldaps. See OpenLDAP documentation # for the behavioral semantics of specifying more than one host. server = “ldap.myhost.com" # Port to connect on, defaults to 389. Setting this to 636 will enable # LDAPS if start_tls (see below) is not able to be used. port = 636 # Administrator account for searching and possibly modifying. identity = “uid=TestUser,ou=Users,dc=myhost,dc=com" password = testing123 # Unless overridden in another section, the dn from which all # searches will start from. base_dn = "ou=Users,dc=myhost,dc=com" The bind user is working. When I run the readiest for the bind user I get: Sending Access-Accept Id 4 from 127.0.0.1:1812 to 127.0.0.1:42631 in the debug while running radius -X How ever when I try it again using a test account or any other user account I get: (1) WARNING: ldap : Bind with uid=bobsso,ou=Users,dc=myhost,dc=com to ldap.myhost.com:636 failed: Can't contact LDAP server. Got new socket, retrying... (1) ldap : Waiting for bind result... (1) ldap : Bind successful (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=demouser) (1) ldap : EXPAND ou=Users,dc=myhost,dc=com (1) ldap : --> ou=Users,dc=myhoset,dc=com (1) ldap : Performing search in 'ou=Users,dc=yhost,dc=com' with filter '(uid=demouser)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=demouser,ou=Users,dc=myhost,dc=com" (1) ldap : Processing user attributes (1) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute (1) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing connection (0), from 1 unused connections rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 140 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 140 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 140 seconds rlm_ldap (ldap): You probably need to lower "min"
On Jan 27, 2016, at 8:41 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 27, 2016, at 11:38 AM, Will W. <will@damagesinc.net> wrote:
Trying to get freeradius 3.0.10 setup with LDAP using SHA512 and I am trying to get my head around the new layout.
What's hard? Get it installed. Get the LDAP module configured for your LDAP server. 99% of everything will Just Work.
Has anyone had luck getting this working?
Please ask good questions. What did you do? What did you expect to see happen? Why? What happened instead? What does the debug output show?
The default configuration is designed to work nearly everywhere, with minimal changes. Just enable the LDAP module, add your LDAP server IP / bind DN, and pretty much everything will Just Work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html