On Jun 2, 2020, at 10:18 AM, R3DNano <r3dnano@gmail.com> wrote:
Ok, I configured the LDAP module, the user is found using "userPrincipalName" filter, however, now I get an error message: "ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute" - and the authentication fails.
Yes....
At first, I thought for some reason, FreeRADIUS was not getting the supplicant's password, but after some search, I understood this happens due to the user performing the LDAP bind not having enough rights to see passwords...
No, it's because AD won't send passwords over an LDAP query. This is well documented. If the packet contains a User-Password attribute, you can "bind as user" to AD, and it will work. For MS-CHAP, however, you must use ntlm_auth or winbind. That's how it works.
however, I'm using the same user as I was using with the bind option, while using SAM instead of UPN and at the time, the user "seemed" able to read passwords.... at least, it was authenticating properly.
Because it was using PAP. Read the debug output.
BTW, is it normal for the bind messages :
rlm_ldap (ldap): Connecting to ldap://xxx.xxx.xxx.xxx:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful
To appear AFTER the "User object found" one?
It depends. If you just show 3 lines of debug output, I have no idea what else it's doing, or what it's configured to do. But yes, generally FreeRADIUS "does the right thing". There's no magical setting which says "do stupid things". Alan DeKok.