Problems to authenticate against an Azure AD -Ldap

Alan DeKok aland at
Thu Sep 21 16:35:48 UTC 2023

On Sep 21, 2023, at 10:59 AM, Uwe Faber <uf at> wrote:
> here the debug output
> ...
> (5) eap_ttls:   User-Name = "testuser at"
> (5) eap_ttls:   User-Password = "password"

  So EAP-TTLS with PAP.  That's good.

> (5) ldap_khs: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
> (5) ldap_khs: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)



  There's documentation for this.

> ldap_msgfree
> rlm_ldap (ldap_khs): Released connection (5)
> Need 4 more connections to reach min connections (5)
> rlm_ldap (ldap_khs): Opening additional connection (6), 1 of 9 pending slots used
> rlm_ldap (ldap_khs): Connecting to ldaps://
> ldap_create
> ldap_url_parse_ext(ldaps://
> TLS: warning: cacertdir not implemented for gnutls

  And using gnutls (in libldap) with OpenSSL (for EAP-TTLS) is likely to cause issues.

  We've put more checks and warnings into v3 which complain about this issue.  But they exist only in the debug output, which usually means that they're hard to find.

  Alan DeKok.

More information about the Freeradius-Users mailing list