FreeRADIUS 3.0.x and user authentification against Novell eDirectory without Universal Password

Alan DeKok aland at
Tue Apr 7 16:31:33 CEST 2020

On Apr 7, 2020, at 5:56 AM, Martin Kozelsk√Ĺ <martin.kozelsky at> wrote:
> I am upgrading FreeRADIUS server from 2.2.5 (Debian 8) to 3.0.17 (Centos
> 8). I use LDAP user authentication against Novell eDirectory, where
> authentication works in two steps:
> 1. anonymous searching user in LDAP,
> 2. binding to LDAP as user with cleartext password, if it is
> successfull, the authentication&authorization is successfull.

  That shouldn't need any magic eDirectory things.  Just treat it as a normal LDAP bind.

  The eDirectory magic is to allow eDirectory to send the clear-text password to FreeRADIUS, for things like MS-CHAP.

> It is done by configuration option "edir_account_policy_check=yes"
> In new FreeRADIUS I have to use options "edir=yes" & "edir_autz=yes",
> but Universal Password is required before the step 2. and it fails:
> Mon Apr  6 15:03:15 2020 : Debug: (0) ldap: Performing search in "o=xxx"
> with filter "(uid=xxx)", scope "sub"
> Mon Apr  6 15:03:15 2020 : Debug: (0) ldap: Waiting for search result...
> Mon Apr  6 15:03:15 2020 : Debug: (0) ldap: User object found at DN
> "cn=xxx,ou=xxx,o=xxx"
> Mon Apr  6 15:03:15 2020 : ERROR: (0) ldap: Failed to retrieve
> eDirectory password: (-1631) BER manipulation failed

  So you're nod doing an anonymous search, and you're not doing bind as user.  Yes, it will fail.

> I need to disable Universal Password. In my opinion something as
> "edir=no" & "edir_autz=yes" can solve it, but it doesn't work. You can
> see in source file rlm_ldap.c that "edir=no" option disables all
> eDirectory code block.
> Or any advice?

  Configure anonymous search.  Configure bind as user.  Run the "ldap" module in the "authenticate" section.

  Delete all eDirectory magic from the configuration.

  Alan DeKok/

More information about the Freeradius-Users mailing list