Active Directory anonymous rebinding when following references

Hughes, Scott GRE/MG SHughes at GREnergy.com
Wed Apr 23 17:05:36 CEST 2008 

Numerous posts about Active Directory OU searching and FreeRadius can be found easily via Google, but none seem to have the definitive answer/workaround for the "Windows 2003 rebind failure when searching the root of the active directory"
 
On the latest freeradius-2.0.3 compiled from source, I get the the rlm_ldap errors below whenever I use the 
basedn = "dc=my,dc=domainname,dc=com"
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
 
I am binding to LDAP with a username/password (not anonymous)
 
All seem to point back to bug 183, which has been open for a long time:
http://bugs.freeradius.org/show_bug.cgi?id=183
 
Is this bug still considered valid? What further needs to be done to get the patch or a similar fix integrated into the main code tree, especially the 2.0 release? I see the patch there, and have applied it to my old freeradius-1.0.1 installation, but stability issues prompted me to investigate an upgrade, and I am not entirely sure that the patch didn't *cause* my stability problems to begin with (the comment by Alan DeKok in the bugzilla entry sounds a little ominous).
 
FWIW, my specific stability problem is the following:
 
Wed Apr  2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr  2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr  2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr  2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
Wed Apr  2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use
And the server rejects all requests until it is restarted. The server is not under a high load. The errors only occur after the server has been running for a few weeks. I could increase ldap_connections_number, but I suspect that will only band-aid the problem so it runs for a few more weeks before failing.
 
My LDAP configuration block is below:
 
        ldap {
                server = "xxx"
                identity = "yyy at my.domain.com"
                password = zzz
                basedn = "dc=my,dc=domain,dc=com"
                filter = "(SamAccountName=%U)"
                ldap_connections_number = 5
                timeout = 4
                timelimit = 3
                net_timeout = 1
                #
                tls {
                        start_tls = no
}
                dictionary_mapping = ${confdir}/ldap.attrmap
                edir_account_policy_check = no
                groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-UserDn}))"
}
 
I would be happy to produce more configuration files upon request, if it would help.
 
Thoughts are appreciated

Scott
Sr. Network Engineer
Great River Energy

More information about the Freeradius-Users mailing list