FreeRADIUS 3.0.x and user authentification against Novell eDirectory without Universal Password

Martin Kozelsk√Ĺ martin.kozelsky at
Tue Apr 7 11:56:13 CEST 2020


I am upgrading FreeRADIUS server from 2.2.5 (Debian 8) to 3.0.17 (Centos
8). I use LDAP user authentication against Novell eDirectory, where
authentication works in two steps:

1. anonymous searching user in LDAP,
2. binding to LDAP as user with cleartext password, if it is
successfull, the authentication&authorization is successfull.

It is done by configuration option "edir_account_policy_check=yes"

In new FreeRADIUS I have to use options "edir=yes" & "edir_autz=yes",
but Universal Password is required before the step 2. and it fails:

Mon Apr  6 15:03:15 2020 : Debug: (0) ldap: Performing search in "o=xxx"
with filter "(uid=xxx)", scope "sub"
Mon Apr  6 15:03:15 2020 : Debug: (0) ldap: Waiting for search result...
Mon Apr  6 15:03:15 2020 : Debug: (0) ldap: User object found at DN
Mon Apr  6 15:03:15 2020 : ERROR: (0) ldap: Failed to retrieve
eDirectory password: (-1631) BER manipulation failed

I need to disable Universal Password. In my opinion something as
"edir=no" & "edir_autz=yes" can solve it, but it doesn't work. You can
see in source file rlm_ldap.c that "edir=no" option disables all
eDirectory code block.

Or any advice?

Thank you very much

Martin Kozelsky

More information about the Freeradius-Users mailing list