Active directory groups

Doty, Seth seth.doty at nebraska.gov
Fri May 20 18:33:14 CEST 2011


That is the fun i am having.  The baseDN of dc=AD,dc=ne,dc=gov DOES work
from ldapsearch and these are actually the credentials i have received
from our LDAP admins.  One of the more specific options I received must
be wrong  

That all being said though you are responding with an answer that at
least lets me know that my syntax is correct, even if the information I
am receiving from the local LDAP folks is not.  Thanks for your help.



On Fri, 2011-05-20 at 17:03 +0100, Phil Mayers wrote:
> On 20/05/11 16:27, Doty, Seth wrote:
> > I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this
> > results in the same failure in the group section.
> > rlm_ldap: object not found
> > rlm_ldap::ldap_groupcmp: search failed
> >
> >
> > I cant remove the ou=test portion or authentication fails completely and
> > i get a reject:
> >   [ldap] performing user authorization for seth.doty
> > [ldap] 	expand: %{Stripped-User-Name} ->
> > [ldap] 	expand: %{User-Name} ->  seth.doty
> > [ldap] 	expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> > (CN=seth.doty)
> > [ldap] 	expand: dc=ad,dc=ne,dc=gov ->  dc=ad,dc=ne,dc=gov
> > rlm_ldap: ldap_get_conn: Checking Id: 0
> > rlm_ldap: ldap_get_conn: Got Id: 0
> > rlm_ldap: attempting LDAP reconnection
> > rlm_ldap: closing existing LDAP connection
> > rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0
> > rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: Bind was successful
> > rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter
> > (CN=seth.doty)
> > rlm_ldap: ldap_search() failed: Operations error
> 
> You're just putting random things into the ldap config and hoping it 
> will work.
> 
> Go and speak to the people who run your LDAP service. Ask them for the 
> correct base DN, bind DN and credentials, group filters and so forth.
> 
> Try these LDAP parameters from the command line using ldapsearch. When 
> it's working, try them with FreeRADIUS.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list