FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Thu Apr 26 06:22:58 CEST 2007 

Are you sure that the uid attribute is even in Active Directory. Chances
are the usernames 
are in the sAMAccountName attribute. Since you now seem to be able to
bind, why not use the 
ldapsearch utility to show entries in the o=tfxschool,c=AU subtree.

  ldapsearch -x -h <hostname> -D  "cn=admin,o=tfxschool,c=AU" -w pass -b
"o=tfxschool,c=AU" 'objectclass=*'

This will show you what attributes there are, and whether the password
is readable. 

Regards,
Frank Ranner

> -----Original Message-----
> From: 
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
eradius.org [mailto:freeradius-users->
bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On 
> Behalf Of Jacob Jarick
> Sent: Thursday, 26 April 2007 12:38
> To: FreeRadius users mailing list
> Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: 
> Operations error
> 
> radiusd.conf:
> radiusd -X -f: http://pastebin.ca/458790
> 
> Hello again,
> I have configured the ldap module according to the rlm_ldap 
> wiki (minus TLS, just trying one thing at a time).I have supplied:
> identity = "cn=admin,o=tfxschool,c=AU"
> password = pass
> 
> As I have been told anonymous binding is not the way to go 
> for confirming username/password.
> 
> >From reading the error log it seems to me that freeradius does
> succesfully connect to the ADS server via ldap but fails to 
> find the user.
> 
> output in question:
> 
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for jacob
> radius_xlat:  '(uid=jacob)'
> radius_xlat:  'o=tfxschool,c=AU'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 
> tfxschoolfs01.tfxschool.internal:389, authentication 0
> rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389
> rlm_ldap: waiting for bind result ...
> request done: ld 0x8697ed0 msgid 1
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in o=tfxschool,c=AU, with filter 
> (uid=jacob) request done: ld 0x8697ed0 msgid 2
> rlm_ldap: ldap_search() failed: Operations error
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns fail for request 0
> modcall: leaving group authorize (returns fail) for request 0 
> Finished request 0 .
> The user Jacob auth's fine via the ntlm_auth module but fails 
> with my current ldap setup.
> Does the user admin need special priveleges on the Windows 
> 2003 ADS to search / retrieve user information (eg password, 
> group etc).
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list