Check LDAP password with SHA512

Alan DeKok aland at
Wed Jan 27 18:12:18 CET 2016

On Jan 27, 2016, at 11:58 AM, Will W. <will at> wrote:
> Question: How can I fix my configuration as I am getting No “known good” password Warning? 

  That means that the password wasn't found in the LDAP database.

> This is what I have done:
> I have enabled LDAP in /etc/raddb/sites-enabled/default
>           -ldap

  The ldap module is listed by default.  That's good.

>            if ((ok || updated) && User-Password) {
>                update {
>                    control:Auth-Type := ldap
>                }
>            }

  Delete all of that.  it's not necessary.

  I said "configure the LDAP module and it will Just Work".  I did NOT say "mangle the default virtual server".

> Created a symbolic line for ldap under /etc/raddb/mods-enabled/ldap

  That's good.

> ldap {
>        #  Note that this needs to match the name(s) in the LDAP server
>        #  certificate, if you're using ldaps.  See OpenLDAP documentation
>        #  for the behavioral semantics of specifying more than one host.
>        server = “"

  Is that the hostname of your LDAP server?

> The bind user is working. When I run the readiest for the bind user I get:
> Sending Access-Accept Id 4 from to
> in the debug while running radius -X

  And what does the debug output say?  Is it actually binding to LDAP?  Did you check?

> How ever when I try it again using a test account or any other user account I get:
> (1) WARNING: ldap : Bind with uid=bobsso,ou=Users,dc=myhost,dc=com to failed: Can't contact LDAP server. Got new socket, retrying...

  That indicates a problem.  Why does it take multiple tries to contact the LDAP server?

> (1) ldap : Waiting for bind result...
> (1) ldap : Bind successful
> (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap :    --> (uid=demouser)
> (1) ldap : EXPAND ou=Users,dc=myhost,dc=com
> (1) ldap :    --> ou=Users,dc=myhoset,dc=com
> (1) ldap : Performing search in 'ou=Users,dc=yhost,dc=com' with filter '(uid=demouser)', scope 'sub'
> (1) ldap : Waiting for search result...
> (1) ldap : User object found at DN "uid=demouser,ou=Users,dc=myhost,dc=com"
> (1) ldap : Processing user attributes
> (1) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
> (1) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)

  And that's definitive.

  Is the LDAP server Active Directory?

  What happens when you run the LDAP query manually, with an LDAP client?  Do you get a "userPassword" entry back?

  Or do you have a custom LDAP schema, with the password in some other field?

  Alan DeKok.

More information about the Freeradius-Users mailing list