Problems to authenticate against an Azure AD -Ldap
Michael Schwartzkopff
ms at sys4.de
Thu Sep 21 15:11:05 UTC 2023
On 21.09.23 16:59, Uwe Faber wrote:
> Alan DeKok schrieb:
>> On Sep 21, 2023, at 7:13 AM, Uwe Faber <uf at zkm.de> wrote:
>>> Hi folks, i hopw you can help after reading thousends articles and
>>> making hundred of trials with the freeradius with no succes.
>>> Here ist the situation, we have an Azure AD and for this an ldap
>>> server front-end. So i could connect to the AD over the ldap.
>>>
>>> for testing reason i implementet an Local openldap server and testet
>>> ist with the eapol test and it works without problems, but if i
>>> change the ldap connection to the azure/ldap i got the following error:
>> So... "I did a bunch of stuff and it didn't work. How do I fix it?"
>>
>> Answer: do different stuff.
>>
>>> 5) ldap_khs: WARNING: No "known good" password added. Ensure the
>>> admin user has permission to read the password attribute
>>> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with
>>> Active Directory (if that is what you were trying to configure)
>> I still don't understand why people work *very* hard to ignore all
>> of the debug output and the documentation which says POST ALL OF THE
>> DEBUG OUTPUT.
>>
>> If you're doing PEAP/MS-CHAP to Azure AD, it won't work. Stop trying.
>>
>> Use EAP-TTLS with PAP, and then use LDAP "bind as user" (Auth-Type
>> LDAP) in order to hand the password to AD.
>>
>> Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> here the debug output
>
>
> (...)
> (5) ldap_khs: Performing search in "OU=AADDC
> Users,dc=karlshochschule,dc=de" with filter "(cn=testuser)", scope "sub"
> ldap_search_ext
> (....)
> (5) ldap_khs: User object found at DN "CN=testuser,OU=AADDC
> Users,DC=karlshochschule,DC=de"
> (....)
> (5) ldap_khs: WARNING: No "known good" password added. Ensure the
> admin user has permission to read the password attribute
> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> (....)
The logs are quite obvious. You are trying to do an ldapsearch against
an AD-LDAP. That will not work, since AD-LDAP does not reply with the
necessary LDAP attributes for the password so that freeradius can
authenticate. You have to use ldapbind for authentication.
Next Version RADIUS server:
https://freeradius.org/documentation/freeradius-server/4.0.0/howto/modules/ldap/authentication.html
Perhaps this helps:
https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list