Question about LDAP authentication
Hi, I have a quick question about LDAP authentication. The radius authentication is working but when I check the logs in debug mode I get a warning concerning LDAP. I'm wondering if this warning is important and how I can get ride of it. I put the ldap auth in the /raddb/sites-available/default file but the following warning keeps coming back, even tough the user's attributes are passed: radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 11 2017 at 04:40:14 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. [ldap] performing user authorization for ba0xxxx [ldap] expand: (cn=%{User-Name}) -> (cn=ba0xxxxx@ssl-admin.bell) [ldap] expand: dc=connexim,dc=com -> dc=connexim,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.234.4.16:389, authentication 0 [ldap] bind as cn=Manager,dc=connexim,dc=com/xxxxxxxx to 10.x.x.x:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=connexim,dc=com, with filter (cn=ba0xxxx@ssl-admin.bell) [ldap] looking for check items in directory... [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.227.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.226.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.226.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.227.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.227.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.227.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.227.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.226.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.226.x.x [ldap] radiusClientIPAddress -> NAS-IP-Address == 10.226.x.x [ldap] looking for reply items in directory... [ldap] radiusClass -> Class = 0x61646d696e WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok The logs then continue and I receive an Accept-Accept for the session. Is this warning relevant and how can I get rid of it? Thanks, Benoit Petit Analyste Technique | Technical Analyst Sécurité et Intelligence Digitale TI | IT Security and Digital Intelligence 1 Carrefour Alexandre-Graham-Bell - Aile E - 3e étage - Verdun - QC - H3E 3B3 514-391-9247 L'utilisation de ce message et régie par notre politique de courriel. www.bell.ca/PolitiqueConfidentialiteCourriel The use of this message is restricted by our mail policies. www.bell.ca/EmailConfidentialityWarning Vacances : 24 août au 17 septembre
On Wed, 2018-07-25 at 12:20 +0000, Petit, Benoit wrote:
I have a quick question about LDAP authentication. The radius authentication is working but when I check the logs in debug mode I get a warning concerning LDAP. I'm wondering if this warning is important and how I can get ride of it. I put the ldap auth in the /raddb/sites-available/default file but the following warning keeps coming back, even tough the user's attributes are passed:
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You normally authenticate by getting the good password from LDAP and then checking that the password is correct. This warning tells you that it wasn't able to get the password from LDAP. If you are authenticating by binding to LDAP as the supplied user, then you don't need to get the password, so this message doesn't matter.
The logs then continue and I receive an Accept-Accept for the session. Is this warning relevant and how can I get rid of it?
Ignore it. -- Matthew
Thank you very much Matthew for the quick answer! Benoit Benoit Petit Analyste Technique | Technical Analyst Sécurité et Intelligence Digitale TI | IT Security and Digital Intelligence 1 Carrefour Alexandre-Graham-Bell - Aile E - 3e étage - Verdun - QC - H3E 3B3 514-391-9247 L'utilisation de ce message et régie par notre politique de courriel. www.bell.ca/PolitiqueConfidentialiteCourriel The use of this message is restricted by our mail policies. www.bell.ca/EmailConfidentialityWarning Vacances : 24 août au 17 septembre -----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+b.petit=bell.ca@lists.freeradius.org> De la part de Matthew Newton Envoyé : 25 juillet 2018 08:35 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: Question about LDAP authentication On Wed, 2018-07-25 at 12:20 +0000, Petit, Benoit wrote:
I have a quick question about LDAP authentication. The radius authentication is working but when I check the logs in debug mode I get a warning concerning LDAP. I'm wondering if this warning is important and how I can get ride of it. I put the ldap auth in the /raddb/sites-available/default file but the following warning keeps coming back, even tough the user's attributes are passed:
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You normally authenticate by getting the good password from LDAP and then checking that the password is correct. This warning tells you that it wasn't able to get the password from LDAP. If you are authenticating by binding to LDAP as the supplied user, then you don't need to get the password, so this message doesn't matter.
The logs then continue and I receive an Accept-Accept for the session. Is this warning relevant and how can I get rid of it?
Ignore it. -- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 25, 2018, at 8:20 AM, Petit, Benoit <b.petit@bell.ca> wrote:
I have a quick question about LDAP authentication. The radius authentication is working but when I check the logs in debug mode I get a warning concerning LDAP. I'm wondering if this warning is important and how I can get ride of it. I put the ldap auth in the /raddb/sites-available/default file but the following warning keeps coming back, even tough the user's attributes are passed:
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 11 2017 at 04:40:14
You really do need to upgrade to 2.2.10. It's 100% configuration compatible with 2.2.6, and contains a number of security fixes and bug fixes.
[ldap] radiusClass -> Class = 0x61646d696e WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You're probably using Active Directory. Or, the admin user doesn't have permission to read the users password, and you're doing "bind as user".
[ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok
The logs then continue
... and explain *why* you're getting an Access-Accept. Reading them will be helpful.
and I receive an Accept-Accept for the session. Is this warning relevant and how can I get rid of it?
The warning is there because many people configure LDAP and FreeRADIUS incorrectly, and get Access-Reject. Then, wonder why it happened. Well, the message is there to tell them the likely source of the error. If you're getting Access-Accept, it's fine. And the only way to get rid of the message is editing the source code. Which you don't want to do. And it's only a warning. It's not an error. It can be safely ignored. Alan DeKok.
Thanks Alan. Will try to upgrade to 2.2.10 Benoit Petit Analyste Technique | Technical Analyst Sécurité et Intelligence Digitale TI | IT Security and Digital Intelligence 1 Carrefour Alexandre-Graham-Bell - Aile E - 3e étage - Verdun - QC - H3E 3B3 514-391-9247 L'utilisation de ce message et régie par notre politique de courriel. www.bell.ca/PolitiqueConfidentialiteCourriel The use of this message is restricted by our mail policies. www.bell.ca/EmailConfidentialityWarning Vacances : 24 août au 17 septembre -----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+b.petit=bell.ca@lists.freeradius.org> De la part de Alan DeKok Envoyé : 25 juillet 2018 08:37 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: Question about LDAP authentication On Jul 25, 2018, at 8:20 AM, Petit, Benoit <b.petit@bell.ca> wrote:
I have a quick question about LDAP authentication. The radius authentication is working but when I check the logs in debug mode I get a warning concerning LDAP. I'm wondering if this warning is important and how I can get ride of it. I put the ldap auth in the /raddb/sites-available/default file but the following warning keeps coming back, even tough the user's attributes are passed:
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built on Jul 11 2017 at 04:40:14
You really do need to upgrade to 2.2.10. It's 100% configuration compatible with 2.2.6, and contains a number of security fixes and bug fixes.
[ldap] radiusClass -> Class = 0x61646d696e WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You're probably using Active Directory. Or, the admin user doesn't have permission to read the users password, and you're doing "bind as user".
[ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok
The logs then continue
... and explain *why* you're getting an Access-Accept. Reading them will be helpful.
and I receive an Accept-Accept for the session. Is this warning relevant and how can I get rid of it?
The warning is there because many people configure LDAP and FreeRADIUS incorrectly, and get Access-Reject. Then, wonder why it happened. Well, the message is there to tell them the likely source of the error. If you're getting Access-Accept, it's fine. And the only way to get rid of the message is editing the source code. Which you don't want to do. And it's only a warning. It's not an error. It can be safely ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Matthew Newton -
Petit, Benoit