[External Mail] [External Mail] [External Mail] Issue with authentication for certain users

Alan DeKok aland at deployingradius.com
Mon Apr 7 15:01:21 UTC 2025 

On Apr 7, 2025, at 10:22 AM, Wayne Sprouse via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I have looked up documentation on configuring FreeRADIUS to
> authenticate using the users' mail addresses. I have everything set up
> correctly from looking at the documentation, I have the filter set to
> mail={%User-Name}. The FreeRADIUS server looks for the user by the
> email address when looking at the Google LDAP logs. Google's LDAP
> server responds with the UID of the user. Then, the FreeRADIUS server
> attempts to log in using the UID.

  This isn't the normal way that FreeRADIUS works with LDAP.  If you configured the LDAP module in FreeRADIUS, it will do one of two things;

1) look up the users password in LDAP during  the "authorize" section.  The user will then be authenticated by the PAP / CHAP / MS-CHAP module

2) do "bind as user" with the supplied User-Name and password during the "authenticate" section.  The LDAP module will return success / fail, and the user will be authenticated.

  That's it.  The only minor point here is that either LDAP query may result in redirects.  But at no point does the serve replace with email address with the UID of the user.

> I do not want this as this is
> causing all the users in our subdomain to fail the bind. This is
> because for the subdomain, it would need to be
> dc=student,dc=madeupdomain,dc=com and that is not how Google responded
> for the UID of the user. Do I have something configured wrong or is
> there a way to force the mail address only?

  It's not at all clear what you're doing.  Perhaps you could post the debug output.

  The previous debug output you posted was using "radiusd -Xx", which includes timestamps.  That makes it harder to read.  Follow the documentation, and just do "radiusd -X".

  The previous debug output you post also showed an error which was *not" User-Name or UID based.  Instead, it 

Thu Apr  3 08:21:22 2025 : WARNING: (8) ldap: No "known good" password
added. Ensure the admin user has permission to read the password
attribute

  That is pretty definitive.

  Alan DeKok.

More information about the Freeradius-Users mailing list