hi list

i was trying to deploy freeradius + openldap ,and got warning like this

(0)  ldap : Processing user attributes
(0)  WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute
(0)  WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(0)   [ldap] = ok
(0)   [expiration] = noop
(0)   [logintime] = noop
(0)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
(0)  WARNING: pap : Authentication will fail unless a "known good" password is available
(0)   [pap] = noop
(0)  } #  authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

the ldap account i added to radius configuration file was not the LDAP Manager account ,

but when i change the account to LDAP Manager user , the warning would not be shown again , and the pass authentication challenge.

 how can i authorize a normal ldap account can read userPassword attribute , then i can add the account to those system which need LDAP .