Check LDAP password with SHA512
Will W.
will at damagesinc.net
Tue Feb 2 21:58:44 CET 2016
LDAP server is already service up for VPN access and all users authenticate
but to clarifiy both user accounts are identical other than username. The only difference I can see is that the bind-user is the user account that is binding the freeradius server to LDAP.
So the bind user can look himself up isn’t really a win as none of the other users in the system can be authenticated.
> On Feb 2, 2016, at 12:54 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Feb 2, 2016, at 3:45 PM, Will W. <will at damagesinc.net> wrote:
>>
>> it is the radiusd -X out of the radtast here are the fail and success
>
> This ends up not being complicated. Reading the debug output helps.
>
>> Success
> ...
>> rlm_ldap (ldap) - Bind successful
>> (1) ldap (updated)
>> (1) pap - Converted: Password-With-Header -> Crypt-Password
>
> That's clear.
>
>> Fail
> ...
>> (0) ldap - User object found at DN "uid=user,ou=Users,dc=myhost,dc=com"
>> (0) ldap - Processing user attributes
>> (0) ldap - WARNING: No "known good" password added. Set 'identity' to
>> the dn of an account that has permission to read the user's password
>> attribute
>
> If only the server produced useful error messages.
>
> This isn't rocket science. For the "success" case, the user has a password in LDAP. For the "fail" case, the user doesn't have a password in LDAP. Or, the user doesn't have permission to read the password.
>
> Have you tried checking the user entries in LDAP?
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list