Error after successful bind using Samba4, it might be the userPassword attribute
Ing. Pedro Pablo Delgado Martell
ppmartell at eleka.co.cu
Tue Feb 13 16:10:07 CET 2018
I'm trying to set freeradius authentication against a *Samba Active
Directory Domain Controller v4.3.0* (*sernet-samba-ad*) server. The
parameters in my ldap module file look like this:
server = "192.168.1.8"
identity = "cn=root,cn=Users,dc=eleka,dc=co,dc=cu"
password = password
basedn = "dc=eleka,dc=co,dc=cu"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
When I run *radtest root password 127.0.0.1 0 testing123* in debug mode
(freeradius -X) I get a successful bind (*[ldap] Bind was successful*)
but after that, this error is shown:
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
I found here
http://lists.freeradius.org/pipermail/freeradius-users/2015-December/081338.html
that it might be a problem related to Samba4 which looks like doesn't
has a userPassword attribute and the freeradius LDAP module can map
*userPassword* attribute defined in *ldap.attrmap*
I also executed this query using ldapsearch (*without any issue* so
identity works):
ldapsearch -LLL -b "dc=eleka,dc=co,dc=cu" -h 192.168.206.8 -D
"cn=root,cn=Users,dc=eleka,dc=co,dc=cu" -w password userPassword=*
# refldap://eleka.co.cu/CN=Configuration,DC=eleka,DC=co,DC=cu
# refldap://eleka.co.cu/DC=DomainDnsZones,DC=eleka,DC=co,DC=cu
# refldap://eleka.co.cu/DC=ForestDnsZones,DC=eleka,DC=co,DC=cu
More information about the Freeradius-Users
mailing list