Thanks for response Alan, No My LDAP is not AD it is openldap 2.4, and below response I am geeting ++++++++++++++++++++++++++++++++++++++++++++++++ [ldap] performing user authorization for radtest [ldap] expand: (uid=%u) -> (uid=radtest) [ldap] expand: dc=xxxx,dc=local -> dc=xxxx,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 127.0.0.1:389, authentication 0 [ldap] bind as / to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=xxxx,dc=local, with filter (uid=radtest) [ldap] checking if remote access for radtest is allowed by uid [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "10" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = 802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? ++++++++++++++++++++++++++++ While is conf of ldap is below, # vi /etc/raddb/modules/ldap ldap { server = "127.0.0.1" basedn = "dc=xxxx,dc=local" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no profile_attribute = "radiusprofile" access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap timeout = 120 timelimit = 50 net_timeout = 40 set_auth_type = no password_header = "{SSHA}" password-attribute = userPassword } +++++++++++++++++++++++++++++++++++++++++++ I am able to execute ldapsearch command successfully, with username/password and anonymously as well. Thanks Vishesh Kumar On Fri, May 15, 2015 at 5:51 PM, Alan DeKok <aland@deployingradius.com> wrote:
On May 15, 2015, at 7:35 AM, Vishesh kumar <linuxtovishesh@gmail.com> wrote:
I am still struggling with below errors ,
WARNING: No "known good" password was found in LDAP.
Read the messages BEFORE that one. FreeRADIUS prints out the LDAP query it's using. You can run the same query manually, to see what is being returned from the LDAP server.
Odds are that the query is wrong. And therefore returning the wrong data (or no data), which doesn't include a password.
Or, the LDAP server is Active Directory. In which case you have to use ntlm_auth for authentication.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Vishesh Kumar http://linuxmantra.com