Problems to authenticate against an Azure AD -Ldap
Alan DeKok
aland at deployingradius.com
Thu Sep 21 16:35:48 UTC 2023
On Sep 21, 2023, at 10:59 AM, Uwe Faber <uf at zkm.de> wrote:
> here the debug output
> ...
> (5) eap_ttls: User-Name = "testuser at karlshochschule.de"
> (5) eap_ttls: User-Password = "password"
So EAP-TTLS with PAP. That's good.
> (5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
yeah...
Read https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/ldap
There's documentation for this.
> ldap_msgfree
> rlm_ldap (ldap_khs): Released connection (5)
> Need 4 more connections to reach min connections (5)
> rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used
> rlm_ldap (ldap_khs): Connecting to ldaps://ldap.karlshochschule.de:636
> ldap_create
> ldap_url_parse_ext(ldaps://ldap.karlshochschule.de:636)
> TLS: warning: cacertdir not implemented for gnutls
And using gnutls (in libldap) with OpenSSL (for EAP-TTLS) is likely to cause issues.
We've put more checks and warnings into v3 which complain about this issue. But they exist only in the debug output, which usually means that they're hard to find.
Alan DeKok.
More information about the Freeradius-Users
mailing list