Help

Alan DeKok aland at deployingradius.com
Tue Apr 14 14:43:48 CEST 2015 

On Apr 14, 2015, at 8:24 AM, sandy.napoles at eccmg.cupet.cu wrote:
> Hello list, Iam using freeradius VersiĆ³n: 2.1.12, and I have read some
> tutorial about freeradius + samba4 as active directory. when a user try to
> autenticate I have the follow logs....somebody can help me.

  The messages are fairly clear.

> Ready to process requests.
> rad_recv: Access-Request packet from host 10.0.100.2 port 1060, id=0,
> length=181
>        Message-Authenticator = 0x87734694ee77d9806817c3a72bd970dd
>        Service-Type = Framed-User
>        User-Name = "yordan"
>        Framed-MTU = 1488
>        Called-Station-Id = "00-23-CD-C3-BD-4E:TP-LINK_C3BD4E"
>        Calling-Station-Id = "4C-BB-58-35-80-0E"
>        NAS-Port-Type = Wireless-802.11
>        Connect-Info = "CONNECT 54Mbps 802.11g"
>        EAP-Message = 0x0200000b01796f7264616e

  For one, you want to configure LDAP in the "inner-tunnel" virtual server.

> [ldap]  expand: (&(sAMAccountName=%{User-Name})) ->
> (&(sAMAccountName=yordan))
> [ldap]  expand: OU=Comercializadora,OU=CUPET,DC=eccmg,DC=cupet,DC=cu ->
> OU=Comercializadora,OU=CUPET,DC=eccmg,DC=cupet,DC=cu
>  [ldap] ldap_get_conn: Checking Id: 0
>  [ldap] ldap_get_conn: Got Id: 0
>  [ldap] attempting LDAP reconnection
>  [ldap] (re)connect to 172.18.68.8:389, authentication 0
>  [ldap] bind as cn=openfire,OU=Administrador de
> Red,OU=Comercializadora,OU=CUPET,DC=eccmg,DC=cupet,DC=cu/open&^2017 to
> 172.18.68.8:389
>  [ldap] waiting for bind result ...
>  [ldap] Bind was successful
>  [ldap] performing search in
> OU=Comercializadora,OU=CUPET,DC=eccmg,DC=cupet,DC=cu, with filter
> (&(sAMAccountName=yordan))
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?

  And... that seems to be clear.

  FreeRADIUS is printing out the LDAP query for a REASON.  So you can check it yourself.  And maybe even check it via an LDAP command-line tool.

  Check that the user information really is in LDAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list