Added some basic directory fingerprinting... rlm_ldap (ldap) - Opening additional connection (0), 1 of 24 pending slots used rlm_ldap (ldap) - Connecting to ldap://192.168.43.57:389 rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base" rlm_ldap (ldap) - Waiting for search result... rlm_ldap (ldap) - Directory type: OpenLDAP if (!fr_pair_find_by_num(request->config, 0, PW_CLEARTEXT_PASSWORD, TAG_ANY) && !fr_pair_find_by_num(request->config, 0, PW_NT_PASSWORD, TAG_ANY) && !fr_pair_find_by_num(request->config, 0, PW_USER_PASSWORD, TAG_ANY) && !fr_pair_find_by_num(request->config, 0, PW_PASSWORD_WITH_HEADER, TAG_ANY) && !fr_pair_find_by_num(request->config, 0, PW_CRYPT_PASSWORD, TAG_ANY)) { if (!inst->directory->cleartext_password) switch (inst->directory->type) { case LDAP_DIRECTORY_ACTIVE_DIRECTORY: RWDEBUG("!!! Found map between LDAP attribute and a FreeRADIUS password attribute"); RWDEBUG("!!! Active Directory does not allow passwords to be read via LDAP"); RWDEBUG("!!! Remove the password map and either:"); RWDEBUG("!!! - List %s in the authenticate section, and set attribute " "&control:Auth-Type := '%s' (pap only)", inst->name, inst->name); RWDEBUG("!!! - Configure authentication via ntlm_auth (mschapv2 only)"); RWDEBUG("!!! - Configure authentication via wbclient (mschapv2 only)"); break; case LDAP_DIRECTORY_EDIRECTORY: RWDEBUG("!!! Found map between LDAP attribute and a FreeRADIUS password attribute"); RWDEBUG("!!! eDirectory does not allow passwords to be retrieved via LDAP search"); RWDEBUG("!!! Remove the password map and either:"); RWDEBUG("!!! - Set 'edir = yes' and enable the universal password feature on your " "eDir server (recommended)"); RWDEBUG("!!! - List %s in the authenticate section, and set attribute " "&control:Auth-Type := '%s' (pap only)", inst->name, inst->name); break; default: no_password: if (!inst->admin_identity) { RWDEBUG("No \"known good\" password added. Ensure \"%s\" has permission to " "read the user's password attribute", inst->admin_identity); } else { RWDEBUG("No \"known good\" password added. Set 'identity' to the dn of an " "account that has permission to read the user's password attribute"); } break; } else goto no_password; } The first user to post either of those messages to the list earns an instaban ;) -Arran