Returning attributes based on group membership using NTLM_AUTH

Moe, John jmoe at hatch.com.au
Tue Aug 9 01:44:51 CEST 2011


> -----Original Message-----

[ snip ]

> # search reference
> ref:
> ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,
> DC
>   =name
>
> # search result
> search: 5
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 1
> # numReferences: 1
>
> So something still isn't right.

Damn, just realized that I was listing my attributes wrong.  I was doing 
"cn,givenName,sn", and they should have read "cn givenName sn".  With that 
fixed, the ldapsearch worked.

# Name\2C User, Users, BRI, my.domain.name
dn: CN=Name\, User,OU=Users,OU=BRI,DC=my,DC=domain,DC=name
cn: Name, User
sn: Name
givenName: User

# search reference
ref:
ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,DC=name

# search result
search: 5
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

So I've gone back to FR's LDAP module and thought I'd give "ldap_debug" a try, 
despite the warning.  Surprisingly, it spit out one extra line in my debug:

rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter 
(sAMAccountName=username)
Unable to chase referral "ldap://my.domain.name/dc=my,dc=domain,dc=name" (-1: 
Can't contact LDAP server)
rlm_ldap: ldap_search() failed: Referral

If I copy and paste that url "ldap://my.domain.name/dc=my,dc=domain,dc=name" 
into my Windows box, it opens LDAP Browser and connects just fine to my 
domain, so I assume the syntax of that is right.  And if I use just 
"my.domain.name" in ldapsearch as the host, it works there as well.  Any idea 
why this wouldn't work?

Out of curiousity, do I need to configure OpenLDAP on the server at all?  Or 
does this module's conf take care of that for me, for this purpose?

John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011

*****************************
NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.  When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.  Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.  Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.  If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5549 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110809/1e6d38a9/attachment.bin>


More information about the Freeradius-Users mailing list