Need help Configuring Radius and Ldap

Phil Mayers p.mayers at
Sun Dec 5 10:32:09 CET 2010

On 12/03/2010 08:43 PM, James Winter wrote:
> On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote:
>> You haven't said what your problem is
> Sorry! My server tells me that it ldap did not find a correct matchup,
> but then returns true.

No. It says is found a match, but that:

> [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with
> filter (samaccountname=jwn6657)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure
> that the user is configured correctly?

...there was no "userPassword" (or it wasn't readable)

> [ldap] user jwn6657 authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> It also then continues to search through other forms of
> authentication, and then it seems to return false to the remote device
> if any of these are false.

Firstly, radius and the modules don't return "false". The modules return 
one of a number of error codes (e.g. "ok", above) and the server returns 
either an Access-Accept or Access-Reject.

Secondly, the debug output you posted returns an "Access-Accept" 
because, although the LDAP module was unable to see a userPassword 
attribute on the LDAP entry, a later module sets the Auth-Type to 
"ntlm_auth" and your server then obeys that.

This is all a non-standard config, so *someone* has configured the 
server - was it you?

> The remote device also told me that the authentication was invalid. I

Well, FreeRadius sent an Access-Accept. What is the remote device? If 
you hadn't trimmed the debugging output I might be able to suggest more.

> was able to successfully authenticate on this device by using the
> local users file(on the radius server).

So compare the reply in that case with the reply in this case, and 
configure the radius server to send the same attributes.

>> The radius server is authenticating the user successfully:
>>> Sending Access-Accept of id 186 to port 4844
>>> Finished request 3.
>>> Going to the next request

Like I said - FreeRadius is sending an Access-Accept.

More information about the Freeradius-Users mailing list