Problems to authenticate against an Azure AD -Ldap
Alan DeKok
aland at deployingradius.com
Thu Sep 21 11:31:29 UTC 2023
On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf at zkm.de> wrote:
>
> Hi folks, i hopw you can help after reading thousends articles and making hundred of trials with the freeradius with no succes.
> Here ist the situation, we have an Azure AD and for this an ldap server front-end. So i could connect to the AD over the ldap.
>
> for testing reason i implementet an Local openldap server and testet ist with the eapol test and it works without problems, but if i change the ldap connection to the azure/ldap i got the following error:
So... "I did a bunch of stuff and it didn't work. How do I fix it?"
Answer: do different stuff.
> 5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
I still don't understand why people work *very* hard to ignore all of the debug output and the documentation which says POST ALL OF THE DEBUG OUTPUT.
If you're doing PEAP/MS-CHAP to Azure AD, it won't work. Stop trying.
Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type LDAP) in order to hand the password to AD.
Alan DeKok.
More information about the Freeradius-Users
mailing list