rlm_ldap filter problem

Brian A. Seklecki lavalamp at spiritual-machines.org
Wed Dec 21 21:27:46 CET 2005 

See the message thread "question on ldap_escape_func in rlm_ldap.c 
(author: Kostas Kalevras)" on Dec 7 for more dicussion .

On Wed, 21 Dec 2005, Brian A. Seklecki wrote:

>
> Try to escape the "/" with "\".  I doubt it...but...you've got some 
> non-standard characters in there.
>
> ~BAS
>
> On Mon, 5 Dec 2005, Norbert Wegener wrote:
>
>> When I set my vars to the values below, ldapsearch succeeds:
>> server="TDE002.mydomain.NET"^M
>> identity="testrad at TDE002.mydomain.NET"^M
>> password="!QAY2wsx3edc4"^M
>> basedn="dc=TDE002,dc=mydomain,dc=NET"^M
>> filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
>> servicePrincipalName primaryGroupID "^M
>> ^M
>> #ldapsearch -LLL  -b "DC=TDE002,dc=mydomain,dc=NET" -s sub $FILTER -x 
>> $LOGON ^M
>> ldapsearch -LLL -h $server  -b "$basedn" -s sub $filter -x -D $identity -w 
>> $password ^M
>> lnxad:/usr/local/etc/raddb # sh x^M
>> dn: 
>> CN=26TEF001,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=mydomain,DC=net^M
>> primaryGroupID: 515^M
>> servicePrincipalName: HOST/26TEF001^M
>> servicePrincipalName: HOST/26tef001.tde002.mydomain.net^M
>> ^M
>> # 
>> refldap://DomainDnsZones.tde002.mydomain.net/DC=DomainDnsZones,DC=tde002,DC=s^M
>> itest,DC=net^M
>> 
>> Having the same variables with the same values set on the same machine in 
>> radiusd.conf:
>>
>>       ldap ldap1 {
>>               server = "tde002.mydomain.net"
>>               identity = "testrad at TDE002.SITEST.NET"
>>               password = "!QAY2wsx3edc4"
>>               basedn = "dc=TDE002,dc=SITEST,dc=NET"
>> 
>> 
> filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
>> servicePrincipalName primaryGroupID"
>>               ldap_debug=0xFFFF
>>
>>               base_filter = "(objectclass=computer)"
>>               ldap_connections_number = 5
>>               timeout = 40
>>               timelimit = 30
>>               net_timeout = 10
>>               tls {
>>                       start_tls = no
>>               }
>>               dictionary_mapping = ${raddbdir}/ldap.attrmap
>>       }
>> radiusd fails to get the values from the ldap server, claiming "Bad search 
>> filter":
>> .....
>> rlm_ldap: performing user authorization for 
>> host/26tef001.tde002.mydomain.net
>> radius_xlat: 
>> '(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
>> servicePrincipalName primaryGroupID'
>> radius_xlat:  'dc=TDE002,dc=MYDOMAIN,dc=NET'
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: performing search in dc=TDE002,dc=MYDOMAIN,dc=NET, with filter 
>> (&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
>> servicePrincipalName primaryGroupID
>> ldap_search
>> put_filter: 
>> "(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
>> servicePrincipalName primaryGroupID"
>> put_filter: AND
>> put_filter_list 
>> "(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
>> put_filter: "(servicePrincipalName=host/26tef001.tde002.mydomain.net)"
>> put_filter: simple
>> put_simple_filter: "servicePrincipalName=host/26tef001.tde002.mydomain.net"
>> put_filter: "(objectclass=computer)"
>> put_filter: simple
>> put_simple_filter: "objectclass=computer"
>> put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
>> put_filter: NOT
>> put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
>> put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
>> put_filter: simple
>> put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
>> put_filter: default
>> put_simple_filter: "servicePrincipalName primaryGroupID"
>> rlm_ldap: ldap_search() failed: Bad search filter: 
>> (&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
>> servicePrincipalName primaryGroupID
>> ldap_msgfree
>> rlm_ldap: search failed
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> modcall[authorize]: module "ldap1" returns fail for request 2
>> modcall: leaving group authorize (returns fail) for request 2
>> There was no response configured: rejecting request 2
>> Delaying request 2 for 1 seconds
>> Finished request 2
>> Going to the next request
>> Waking up in 1 seconds...
>> --- Walking the entire request list ---
>> Cleaning up request 1 ID 206 with timestamp 43942d52
>> Sending Access-Reject of id 207 to 222.25.36.124 port 1645
>> 
>> What did I forget to obey?
>> Thanks
>> Norbert Wegener
>> 
>> 
>> 
>> 
>> 
>> 
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>> 
>
> l8*
> 	-lava
>
> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

More information about the Freeradius-Users mailing list