Yet Another AD Question

Josh josh2780 at yahoo.com
Wed May 24 18:36:11 CEST 2006


I've crawled the web for info and tried numerous
things to get FreeRadius authenticating users with a
2003 Active Directory.

I'm currently running FreeRadius (with MySQL) on RHEL4
using the RPMs included with RHEL4:

  freeradius-1.0.1-3.RHEL4
  freeradius-mysql-1.0.1-3.RHEL4

Running radiusd in debug mode (-X) shows a successful
bind to the AD server. I then can see rlm_ldap
performing a search and then eventually fails:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

<snip>
rlm_ldap: Bind was successful
rlm_ldap: performing search in
cn=Users,dc=org,dc=my,dc=domain,dc=com, with filter
cn=administrator
ldap_search
put_filter: "cn=administrator"
put_filter: default
put_simple_filter: "cn=administrator"
ldap_send_initial_request
ldap_send_server_request
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 4 sec, 0 usec), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: org.my.domain.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed May 24 12:14:51 2006

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ldap_read: message type search-result msgid 2,
original id 2
ldap_chase_referrals
read1msg:  V2 referral chased, mark request completed,
id = 2
new result:  res_errno: 1, res_error: <00000000:
LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on
the connection., data 0, vece>, res_matched: <>
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 1, res_error: <00000000: LdapErr:
DSID-0C090627, comment: In order to perform this
operation a successful bind must be completed on the
connection., data 0, vece>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ldap_err2string
rlm_ldap: ldap_search() failed: Operations error
ldap_msgfree
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authenticate]: module "ldap" returns fail
for request 0
modcall: group authenticate returns fail for request 0
auth: Failed to validate the user.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

I'm not sure if I'm using the wrong ldap search or
what.  Here's my ldap section of radiusd.conf:

   server = "org.my.domain.com"
   ldap_debug = 0xFFFF
   basedn = "cn=Users,dc=org,dc=my,dc=domain,dc=com"
   filter = "cn=%u"
   start_tls = no
   access_attr = "dialupAccess"
   dictionary_mapping = ${raddbdir}/ldap.attrmap
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1


Although I'd like to avoid it, but, would it be easier
to install SAMBA on the RHES4 box and connect SAMBA to
AD and then connect FreeRadius to SAMBA?  I've also
come across possible issues with certain versions of
openldap and 2003 AD?

As soon as this part is working I'll be authenticating
wireless users (using Cisco APs) as well.  But I think
that should run fairly smooth as soon as FreeRadius
and AD are talking the same language.

I hope there are some Radius/AD gurus out there?

Many thanks in advance...

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the Freeradius-Users mailing list