AD ldap bind works with 1.01, fails with 1.04

Stephen Walsh S.Walsh at signadou.acu.edu.au
Fri Jan 27 12:36:52 CET 2006





>  I have no idea.  I've looked, and can't see anything that would
>affect that.
>
>  Alan DeKok.

Hi Alan

Thanks for the reply. We ended up reverting the production box to FC3 and
1.01, only to have it fail with the same error!

I've since written a ldap module for each student campus/ou specifying it
down to ou to search in.

    ldap Canberra {
             <snip>
             basedn = "ou=students,ou=users,ou=signadou,dc=student(etc)"
             <snip>
               }

and then added an entry for each in Authorize and Authenicate.

Why my test box with FC3/1.01 works and nothing else does is beyond me, but
this clunky option seems to work. It may be of interest to note that our
Student tree is native w2k3, while our staff tree is w2k.

I also found an entry on a forum that referred to having to change the
hueristic search value on the AD DC, I've pasted it below in the hope it
may help someone in the future with the same problem.

dmeehan at flcancer dot com
12-Aug-2004 04:26

If your having problems running LDAP searches on the base DC against Active
Directory 2k3, you need to set dsHeuristics to 0000002 in Active Directory.
This allows searches to function similar to how they did in Active
Directory 2k2. You can update dsHeuristics by launching ldp.exe goto
'connection' and create a new connection. Then goto bind and bind to your
ldap server. Next select the 'Browse' menu and choose 'modify'. The DN
*might* look like this:

CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=mycompany,DC=com

Attribute is: dsHeuristics
Value is: 0000002

Set the operation to replace and you should be set.
This solves the 'Operations error' error that happens when attempting to
search without specifying an OU.

-d




More information about the Freeradius-Users mailing list