Freeipa and Freeradius integration

KL Forwarder kl.forwarder at gmail.com
Mon Apr 13 07:46:24 CEST 2015 

On Fri, Apr 10, 2015 at 6:15 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>> Problem is I still get:
>>
>> (0) WARNING: ldap : No "reference" password added. Ensure the admin
>> user has permission to read the password attribute
>> (0) WARNING: ldap : PAP authentication will *NOT* work with Active
>> Directory (if that is what you were trying to configure)
>>
>> How can I test if the password is correct? And are there references I
>> can use (maybe a good general "Freeradius-ldap" guide?). Thanks so
>
> You need to check if ldapsearch returns the userPassword attribute when bound with the credentials you configured for FR.
>
> The server is warning you that you had a mapping between an LDAP attribute, and a RADIUS attribute it knows is used to store the users password, but that the mapping was skipped because the LDAP server didn't return a value for that attribute.

Thanks so far, this helps. I tested and it indeed turned out I did not
receive the userPassword attribute. I do get something like it back
using `identity = "cn=Directory Manager"`, so I am using that now.
Doing a ldapsearch gives me:

[user at auth1 ~]$ ldapsearch -x -v -W -D 'cn=Directory Manager'
uid=user | grep userP
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: uid=user
requesting: All userApplication attributes
userPassword:: e1NTS***************************************************************UE9PQ=

userPassword is base64 encoded. Doing a base64 -d gives me
"{SSHA}a3By*******************8kwtali5aA".

Radius output is:

===============================================================
(0) ldap :      expand: "dc=companyname,dc=local" -> 'dc=companyname,dc=local'
(0) ldap : Performing search in 'dc=companyname,dc=local' with filter
'(uid=user)'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN
"uid=user,cn=users,cn=compat,dc=companyname,dc=local"
(0) ldap : Processing user attributes
(0) WARNING: ldap : No "reference" password added. Ensure the admin
user has permission to read the password attribute
(0) WARNING: ldap : PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
(0)   [ldap] = ok
(0)   [expiration] = noop
(0)   [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user.  Not
setting Auth-Type.
(0) WARNING: pap : Authentication will fail unless a "known good"
password is available.
(0)   [pap] = noop
(0)  } #  authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
===============================================================

Can FreeRadius handle this type of userPassword (since it seems to be hashed)?

Thanks,
/kl

More information about the Freeradius-Users mailing list