Google LDAP

Alan DeKok aland at
Mon Aug 12 22:28:25 CEST 2019

On Aug 12, 2019, at 3:59 PM, Julien Tessier <jtessier at> wrote:
> I've been trying for some time to connect Freeradius to Google Cloud
> Identity LDAP server. I followed their install guide and can successfully
> bind.

  Which is good.  Because their guide tells you to do the wrong thing.  I've submitted a bug request to them.  But since I'm not worth billions, Google ignores me.

  Following the guide will work.  But it will work ONLY for PAP passwords to Google LDAP.   The instructions on their guide will break everything else.

> Unfortunately, I get (0) pap: WARNING: No "known good" password found
> for the user.  Not setting Auth-Type and Access-Reject.

  That's not the real error.  Read ALL of the debug output for ERRORs and WARNINGs.

> (0) Received Access-Request Id 202 from to
> length 136
> (0)   Service-Type = Framed-User
> (0)   Framed-Protocol = PPP
> (0)   User-Name = "jtessier"
> (0)   MS-CHAP-Challenge = 0x88893572d1caa40f7048f8dcb81abcb3
> (0)   MS-CHAP2-Response =
> 0x5800d771ab437518177eb9c6eb22db522ba90000000000000000a08191a22342a6358fc5f127965acd3963fc2d317a92cb43

  That's MS-CHAP.  Not PAP.

  Google's LDAP server doesn't do MS-CHAP.

> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password
> (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> LM-Password
> (0) mschap: Creating challenge hash with username: jtessier
> (0) mschap: Client is using MS-CHAPv2
> (0) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication

  That's pretty clear.  FreeRADIUS needs the Cleartext-Password in order to do MS-CHAP.

  Google LDAP won't give it to you.  So you can't do MS-CHAP.

  Your options are:

a) use another LDAP server which *will* return Cleartext-Password

b) don't use MS-CHAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list