Freeradius + LDAP - WARNING: No "known good" password was found in LDAP

Mon Dec 21 09:38:00 CET 2015

   Morning list,

   I need some help with my freeradius + LDAP configuration, I'm stuck
   with a "WARNING: No "known good" password was found in LDAP" message,
   and I don't know how to continue with the debugging of this problem.

   First, versions:
   freeradius-ldap-2.2.6-6.el6_7.x86_64
   freeradius-2.2.6-6.el6_7.x86_64

   This is the output from "radiusd -X":
   rad_recv: Access-Request packet from host 10.252.218.2 port 12494,
   id=176, length=95
       User-Name = "test"
       User-Password = "testpasswd"
       NAS-IP-Address = 10.252.218.4
       NAS-Identifier = "example1"
       Calling-Station-Id = "10.100.100.10"
       NAS-Port = 11469
       NAS-Port-Type = Virtual
   Mon Dec 21 08:14:30 2015 : Info: # Executing section authorize from
   file /etc/raddb/sites-enabled/default
   Mon Dec 21 08:14:30 2015 : Info: +group authorize {
   Mon Dec 21 08:14:30 2015 : Info: ++[preprocess] = ok
   Mon Dec 21 08:14:30 2015 : Info: ++[chap] = noop
   Mon Dec 21 08:14:30 2015 : Info: ++[mschap] = noop
   Mon Dec 21 08:14:30 2015 : Info: ++[digest] = noop
   Mon Dec 21 08:14:30 2015 : Info: [suffix] No '@' in User-Name = "test",
   looking up realm NULL
   Mon Dec 21 08:14:30 2015 : Info: [suffix] No such realm "NULL"
   Mon Dec 21 08:14:30 2015 : Info: ++[suffix] = noop
   Mon Dec 21 08:14:30 2015 : Info: [eap] No EAP-Message, not doing EAP
   Mon Dec 21 08:14:30 2015 : Info: ++[eap] = noop
   Mon Dec 21 08:14:30 2015 : Info: [files] users: Matched entry DEFAULT
   at line 79
   Mon Dec 21 08:14:30 2015 : Info: ++[files] = ok
   Mon Dec 21 08:14:30 2015 : Info: [ldap] performing user authorization
   for test
   Mon Dec 21 08:14:30 2015 : Info: [ldap]     expand:
   %{Stripped-User-Name} ->
   Mon Dec 21 08:14:30 2015 : Info: [ldap]     ... expanding second
   conditional
   Mon Dec 21 08:14:30 2015 : Info: [ldap]     expand: %{User-Name} ->
   test
   Mon Dec 21 08:14:30 2015 : Info: [ldap]     expand:
   (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
   Mon Dec 21 08:14:30 2015 : Info: [ldap]     expand:
   ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local ->
   ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] ldap_get_conn: Checking Id:
   0
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] ldap_get_conn: Got Id: 0
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] attempting LDAP reconnection
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] (re)connect to
   10.252.25.20:389, authentication 0
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] bind as
   cn=binduser,cn=proxy,ou=clients,ou=nfra,dc=infra,dc=local/password to
   10.252.25.20:389
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] waiting for bind result ...
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] Bind was successful
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] performing search in
   ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local with filter
   (uid=test)
   Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for check items in
   directory...
   Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for reply items in
   directory...
   Mon Dec 21 08:14:30 2015 : Debug: WARNING: No "known good" password was
   found in LDAP.  Are you sure that the user is configured correctly?
   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] ldap_release_conn: Release
   Id: 0
   Mon Dec 21 08:14:30 2015 : Info: ++[ldap] = ok
   Mon Dec 21 08:14:30 2015 : Info: ++[expiration] = noop
   Mon Dec 21 08:14:30 2015 : Info: ++[logintime] = noop
   Mon Dec 21 08:14:30 2015 : Info: [pap] WARNING! No "known good"
   password found for the user.  Authentication may fail because of this.
   Mon Dec 21 08:14:30 2015 : Info: ++[pap] = noop
   Mon Dec 21 08:14:30 2015 : Info: +} # group authorize = ok
   Mon Dec 21 08:14:30 2015 : Info: ERROR: No authenticate method
   (Auth-Type) found for the request: Rejecting the user
   Mon Dec 21 08:14:30 2015 : Info: Failed to authenticate the user.

   When I run the "search" command from the OS and ldap tools, the output
   seems to be good (userPassword is {SHA} hashed):
   # ldapsearch -D
   "cn=binduser,cn=proxy,ou=clients,ou=nfra,dc=infra,dc=local" -w password
   -p 389 -h 10.252.25.20 -b
   "ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local"
   "uid=test"
   dn:
   uid=test,ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local
   maxFailedLogins: 3
   passwordMinAlphaChars: 1
   objectclass: account
   objectclass: top
   objectclass: posixaccount
   objectclass: shadowaccount
   passwordMaxRepeatedChars: 1
   uid: test
   uidNumber: 18001
   cn: test
   loginShell: /bin/bash
   passwordMinLength: 15
   shadowMin: 1
   gidNumber: 18000
   passwordMinOtherChars: 3
   shadowMax: 13
   gecos:
   homeDirectory: /home/test
   passwordHistSize: 12
   unsuccessfulLoginCount: 0
   passwordFlags: ADMCHG
   userPassword:: e1NIQX1mVFA2NUFYOURHMXFPZkhsem5tQzg5NElJM3c9

   This is my /etc/raddb/modules/ldap file:
   # grep -v "#" ldap
   ldap {
       server = "10.252.25.20"
       port = 389
       identity =
   "cn=binduser,cn=proxy,ou=clients,ou=nfra,dc=infra,dc=local"
       password = password
       basedn =
   "ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local"
       filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
       ldap_connections_number = 5
       max_uses = 0
       timeout = 4
       timelimit = 3
       net_timeout = 1
       tls {
           start_tls = no
       }
       dictionary_mapping = ${confdir}/ldap.attrmap
       edir_account_policy_check = no
       keepalive {
           idle = 60
           probes = 3
           interval = 3
       }
   }

   Any ideas? I don't know how to get some more debug from the "ldap"
   module especifcally to try to solve that "No "known good" password"
   message.

   Thanks a lot in advance,
   Regards,
   Alex