rlm_ldap: ldap_search() failed: Bad search filter:

Norbert Wegener nw at sbs.de
Wed Dec 7 22:16:43 CET 2005 

Alhagie Puye wrote:

>Look like your syntax is wrong
>  
>
The errormessage let's me assume, it is so, yes.
The paranthesis did not change anything.
I want to extract sAMAccountName userAccountControl from the AD and do 
not want to compare them.
As mentioned, it works with ldapsearch and I wonder where there are the 
differences to rlm_ldap.
Norbert

>Why don't you have parenthesis around "sAMAccountName
>userAccountControl"? You are also missing an "=" between the two words.
>
>
>Alhagie Puye - Network Engineer
>Datawave Group of Companies
>(604)295-1817  
>
>  
>
>>>-----Original Message-----
>>>From: freeradius-users-bounces at lists.freeradius.org 
>>>[mailto:freeradius-users-bounces at lists.freeradius.org] On 
>>>Behalf Of Norbert Wegener
>>>Sent: December 7, 2005 12:30 PM
>>>To: FreeRadius users mailing list
>>>Subject: rlm_ldap: ldap_search() failed: Bad search filter: 
>>>
>>>I am still trying to let freeradius query AD, but not yet 
>>>too successfull.
>>>
>>>Using the following vars with ldapsearch, gives me the 
>>>desired result, as shown below, but fails with rlm_ldap.
>>>##########################################
>>>server="mchm967a.tww006.sitest.net "
>>>port=3268
>>>identity="testrad at TDE002.SITEST.NET "
>>>mypass="mypass"
>>>basedn="dc=TDE002,dc=SITEST,dc=NET"
>>>filter="(&(sAMAccountName=28TEF003$)(objectclass=computer))
>>>sAMAccountName userAccountControl"
>>>#########################################
>>>ldapsearch -x  -h $server -p $port -b $basedn $filter -D 
>>>$identity -w $mypass -x
>>>
>>># extended LDIF
>>>#
>>># LDAPv3
>>># base <dc=TDE002,dc=SITEST,dc=NET> with scope sub # filter: 
>>>(&(sAMAccountName=28TEF003$)(objectclass=computer))
>>># requesting: sAMAccountName userAccountControl #
>>>
>>># 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net
>>>dn: 
>>>CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sit
>>>est,DC=net
>>>userAccountControl: 4096
>>>sAMAccountName: 28TEF003$
>>>
>>># search result
>>>search: 2
>>>result: 0 Success
>>>
>>># numResponses: 2
>>># numEntries: 1
>>>##################################################
>>>So far, so good.
>>>When I take the same vars in  radiusd.conf, I get:
>>>rlm_ldap: ldap_search() failed: Bad search filter
>>>radiusd.conf:
>>>
>>>
>>>ldap ldap1 {
>>>server="mchm967a.tww006.sitest.net "
>>>port=3268
>>>identity="testrad at TDE002.SITEST.NET "
>>>mypass="mypass"
>>>basedn="dc=TDE002,dc=SITEST,dc=NET"
>>>filter="(&(sAMAccountName=28TEF003$)(objectclass=computer))
>>>sAMAccountName userAccountControl"
>>>               ldap_debug= 0xFFFF
>>>               ldap_connections_number = 5
>>>               timeout = 40
>>>               timelimit = 30
>>>               net_timeout = 10
>>>               tls {
>>>               }
>>>               dictionary_mapping = ${raddbdir}/ldap.attrmap
>>>       }
>>>
>>>rlm_ldap: Bind was successful^M
>>>rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, 
>>>with filter
>>>(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
>>>sAMAccountName userAccountControl^M ldap_search^M
>>>put_filter: "(&(sAMAccountName=28TEF003$)(objectclass=computer))
>>>sAMAccountName userAccountControl"^M
>>>put_filter: AND^M
>>>put_filter_list "(sAMAccountName=28TEF003$)(objectclass=computer)"^M
>>>put_filter: "(sAMAccountName=28TEF003$)"^M
>>>put_filter: simple^M
>>>put_simple_filter: "sAMAccountName=28TEF003$"^M
>>>put_filter: "(objectclass=computer)"^M
>>>put_filter: simple^M
>>>put_simple_filter: "objectclass=computer"^M
>>>put_filter: default^M
>>>put_simple_filter: "sAMAccountName userAccountControl"^M
>>>rlm_ldap: ldap_search() failed: Bad search filter: 
>>>(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
>>>sAMAccountName userAccountControl^M ldap_msgfree^M
>>>rlm_ldap: search failed^M
>>>
>>>What am I doing wrong?
>>>Thanks
>>>Norbert Wegener
>>>
>>>
>>>-
>>>List info/subscribe/unsubscribe? See 
>>>http://www.freeradius.org/list/users.html
>>>
>>>      
>>>
>
>
>This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>

More information about the Freeradius-Users mailing list