LDAP + Active Directory Authentication Issue
lukermsdn at gmail.com
Fri Dec 13 15:29:36 CET 2013
Thank you all. With your help I have made progress.
I can now successfully authenticate the user 'test' against Active
Directory if I open up another terminal and run:
radtest -t mschap test password localhost 0 testing 123
However, the 'no Auth-Type found' error still occurs if I send the request
from my console server. Is this because the request from the console server
needs to specify use of mschap?
On Thu, Dec 12, 2013 at 10:10 PM, <stefan.paetow at diamond.ac.uk> wrote:
> Unless you are storing passwords in Active Directory in plain text or you
> want to use Kerberos authentication, you will have to use MSCHAPv2 (or its
> EAP equivalent, EAP-MSCHAPv2).
> In that case, follow
> http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+sourceand see if that's more useful than the URL you originally posted.
> And please, post a full debug log of an authentication attempt. It's much
> appreciated by the gurus on the list. :-)
> From: freeradius-users-bounces+stefan.paetow=
> diamond.ac.uk at lists.freeradius.org[freeradius-users-bounces+stefan.paetow=
> diamond.ac.uk at lists.freeradius.org] on behalf of Luke Ramsden [
> lukermsdn at gmail.com]
> Sent: Thursday, December 12, 2013 6:48 PM
> To: freeradius-users at lists.freeradius.org
> Subject: LDAP + Active Directory Authentication Issue
> Hi, I am trying to authenticate users against Active Directory using LDAP.
> I can perform the initial bind using an ldap bind account. I can then
> successfully find the Distinguished Name in Active Directory given a domain
> user's username. I would now like to re-bind using that Distinguished Name
> in order to authenticate the password they supplied as described in point 4
> The problem I am having is my server errors out with 'No Auth-Type found'
> come authentication time. I added 'set_auth_type = yes' to
> mods-available/ldap but it seems to have had no effect.
> I am very new to this so am still finding my feet - can anyone help?
> Subset of output from terminal (redacted some personal info):
> (0) ldap : Performing search in 'ou=Users,dc=example,dc=domain,dc=com'
> with filter '(uid=example-user)'
> (0) ldap : Waiting for search result...
> (0) ldap : User object found at DN
> rlm_ldap (ldap): Released connection (4)
> rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
> (0) [ldap] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix : No '@' in User-Name = 'example-user', looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0) [suffix] = noop
> (0) eap : No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) [files] = noop
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) WARNING: pap : No "known good" password found for the user. Not
> setting Auth-Type.
> (0) WARNING: pap : Authentication will fail unless a "known good" password
> is available.
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post Auth-Type =
> (0) Failed to authenticate the user.
> (0) Using Post-Auth-Type Reject
> Many thanks
> This e-mail and any attachments may contain confidential, copyright and or
> privileged material, and are for the use of the intended addressee only. If
> you are not the intended addressee or an authorised recipient of the
> addressee please notify us of receipt by returning the e-mail and do not
> use, copy, retain, distribute or disclose the information in or attached to
> the e-mail.
> Any opinions expressed within this e-mail are those of the individual and
> not necessarily of Diamond Light Source Ltd.
> Diamond Light Source Ltd. cannot guarantee that this e-mail or any
> attachments are free from viruses and we cannot accept liability for any
> damage which you may sustain as a result of software viruses which may be
> transmitted in or with the message.
> Diamond Light Source Limited (company no. 4375679). Registered in England
> and Wales with its registered office at Diamond House, Harwell Science and
> Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users