MS LDAP connect OK users not found

Dennis Skinner dskinner at bluefrog.com
Fri Jan 6 20:44:38 CET 2006


Dickson, John wrote:
> I have made great progress but still need assistance with the individual
> authentication being passed to the MS ldap. Using ldapsearch I have
> access to all the records. Using  "ntlm_auth --request-nt-key
> --domain=xxxx1 --username=radtest" works as well. What I see is that
> "rlm_realm" finds no realm and is not able to pass authentication.
> 
> Why is the "NAS-IP-Address = 255.255.255.255"?
> Is it that my request from the localhost " radtest radtest userpass
> xxxx1.xxxx2.edu 0  testing123" has syntax errors?
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for radtest at xxxx1.xxxx2.edu
> radius_xlat:  '(uid=radtest at xxxx1.xxxx2.edu)'
> radius_xlat:  'ou=Users,dc=xxxx1,dc=xxxx2,dc=edu'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Metro Users,dc=xxxx1,dc=xxxx2,dc=edu,
> with filter (uid=radtest at xxxx1.xxxx2.edu)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns notfound for request 7

You probably want to read the proxy.conf file and add your realm if you
haven't already.  Actually, you should read and understand what *all* of
the files in the raddb dir are for.

We use mysql, not ldap, but I'm guessing the uid in ldap is listed as
"radtest", not "radtest at xxx1.xxx2.edu".  So the ldap lookup is failing.

In my sql.conf there is an option to use stripped UserName attributes.
See if you have something like that in your ldap.conf file in raddb.
You may need to adjust it.

Alternately, make all your uids in ldap user at domain instead of just user.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com



More information about the Freeradius-Users mailing list