Check LDAP password with SHA512

Alan DeKok aland at
Tue Feb 2 21:54:09 CET 2016

On Feb 2, 2016, at 3:45 PM, Will W. <will at> wrote:
> it is the radiusd -X out of the radtast here are the fail and success

  This ends up not being complicated.  Reading the debug output helps.

> Success
> rlm_ldap (ldap) - Bind successful
> (1)      ldap (updated)
> (1)      pap - Converted: Password-With-Header -> Crypt-Password

  That's clear.

> Fail
> (0)      ldap - User object found at DN "uid=user,ou=Users,dc=myhost,dc=com"
> (0)      ldap - Processing user attributes
> (0)      ldap - WARNING: No "known good" password added.  Set 'identity' to
> the dn of an account that has permission to read the user's password
> attribute

  If only the server produced useful error messages.

  This isn't rocket science.  For the "success" case, the user has a password in LDAP.  For the "fail" case, the user doesn't have a password in LDAP.  Or, the user doesn't have permission to read the password.

  Have you tried checking the user entries in LDAP?

  Alan DeKok.

More information about the Freeradius-Users mailing list