Freeradius + LDAP - WARNING: No "known good" password was found in LDAP

Alan DeKok aland at deployingradius.com
Mon Dec 21 15:00:07 CET 2015


On Dec 21, 2015, at 3:38 AM, Kermes - - <kermes at gmx.es> wrote:
>   I need some help with my freeradius + LDAP configuration, I'm stuck
>   with a "WARNING: No "known good" password was found in LDAP" message,
>   and I don't know how to continue with the debugging of this problem.

  The user isn't found in LDAP.  The debug output shows that, including the LDAP query.

>   First, versions:
>   freeradius-ldap-2.2.6-6.el6_7.x86_64
>   freeradius-2.2.6-6.el6_7.x86_64
> 
>   This is the output from "radiusd -X":

  The debug output is from "radiusd -Xx", which adds timestamps... and makes the output more difficult to read.  Please use just "radiusd -X".
> 
>   Mon Dec 21 08:14:30 2015 : Debug:   [ldap] performing search in
>   ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local with filter
>   (uid=test)
>   Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for check items in
>   directory...
>   Mon Dec 21 08:14:30 2015 : Info: [ldap] looking for reply items in
>   directory...

  And nothing was found.

  What happens when you use that LDAP search string in an LDAP client utility?

  Test it with an LDAP client.  Once you get the search string correct, fix the FreeRADIUS query to use the correct search string.

>       basedn =
>   "ou=users,cn=secdb,cn=data,ou=ALL,ou=infra,dc=infra,dc=local"
>       filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

  One or both of those is wrong for your LDAP system.

  I don't know what the *right* query is, because I don't know your how LDAP system is set up.

  Alan DeKok.




More information about the Freeradius-Users mailing list