Check LDAP password with SHA512
Will W.
will at damagesinc.net
Wed Jan 27 17:58:32 CET 2016
Question: How can I fix my configuration as I am getting No “known good” password Warning?
This is what I have done:
I have enabled LDAP in /etc/raddb/sites-enabled/default
-ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
Created a symbolic line for ldap under /etc/raddb/mods-enabled/ldap
ldap {
# Note that this needs to match the name(s) in the LDAP server
# certificate, if you're using ldaps. See OpenLDAP documentation
# for the behavioral semantics of specifying more than one host.
server = “ldap.myhost.com"
# Port to connect on, defaults to 389. Setting this to 636 will enable
# LDAPS if start_tls (see below) is not able to be used.
port = 636
# Administrator account for searching and possibly modifying.
identity = “uid=TestUser,ou=Users,dc=myhost,dc=com"
password = testing123
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = "ou=Users,dc=myhost,dc=com"
The bind user is working. When I run the readiest for the bind user I get:
Sending Access-Accept Id 4 from 127.0.0.1:1812 to 127.0.0.1:42631
in the debug while running radius -X
How ever when I try it again using a test account or any other user account I get:
(1) WARNING: ldap : Bind with uid=bobsso,ou=Users,dc=myhost,dc=com to ldap.myhost.com:636 failed: Can't contact LDAP server. Got new socket, retrying...
(1) ldap : Waiting for bind result...
(1) ldap : Bind successful
(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap : --> (uid=demouser)
(1) ldap : EXPAND ou=Users,dc=myhost,dc=com
(1) ldap : --> ou=Users,dc=myhoset,dc=com
(1) ldap : Performing search in 'ou=Users,dc=yhost,dc=com' with filter '(uid=demouser)', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : User object found at DN "uid=demouser,ou=Users,dc=myhost,dc=com"
(1) ldap : Processing user attributes
(1) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
(1) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (0), from 1 unused connections
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 140 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 140 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 140 seconds
rlm_ldap (ldap): You probably need to lower "min"
> On Jan 27, 2016, at 8:41 AM, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jan 27, 2016, at 11:38 AM, Will W. <will at damagesinc.net> wrote:
>>
>> Trying to get freeradius 3.0.10 setup with LDAP using SHA512 and I am trying to get my head around the new layout.
>
> What's hard? Get it installed. Get the LDAP module configured for your LDAP server. 99% of everything will Just Work.
>
>> Has anyone had luck getting this working?
>
> Please ask good questions. What did you do? What did you expect to see happen? Why? What happened instead? What does the debug output show?
>
> The default configuration is designed to work nearly everywhere, with minimal changes. Just enable the LDAP module, add your LDAP server IP / bind DN, and pretty much everything will Just Work.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list