No "known good" password was found in LDAP
Hi, I have a setup with a laptop, access-point, wireless-controller, freeradius 2.1.8 (ubuntu 10.04) and SLES 10 eDirectory. When I put the username and password in the users file everything works fine (802.1x, PEAP) When I try to move authentication with the eDirectory with ldap, I get the Warning no known... but then the user is authorized. ([ldap] user aruba authorized to use remote access) [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aruba) [ldap] expand: o=org -> o=org [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to xxx.yyy.110.136:389, authentication 0 [ldap] bind as cn=admin,o=org/admin to xxx.yyy.110.136:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=org, with filter (uid=aruba) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user aruba authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 The password stored in eDirectory is valid. My understanding of eDirectory is that it will never let you see the actual password of a user, it will hash it first. Is this behavior of freeradius normal? Later in the process the user is rejected because no Auth-Type was found, is this related? Jean -- View this message in context: http://old.nabble.com/No-%22known-good%22-password-was-found-in-LDAP-tp29239... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 07/22/2010 08:26 PM, newtownz wrote:
The password stored in eDirectory is valid.
My understanding of eDirectory is that it will never let you see the actual password of a user, it will hash it first. Is this behavior of freeradius normal?
There is eDirectory support in the rlm_ldap module which (I belive) does a "special" query to get a the "universal password); see the docs for rlm_ldap. But you (or rather the FreeRadius bind DN) *will* need permissions to read the plaintext password or you're stuck. You need that password or the NT/LM hash to do PEAP/MS-CHAP.
Later in the process the user is rejected because no Auth-Type was found, is this related?
Yes.
participants (2)
-
newtownz -
Phil Mayers