Advice on where to look next...

Johnson, Jeffrey jpjohnson at challiance.org
Mon Feb 18 15:28:40 CET 2013


I've configured my server to successfully authenticate against AD using my ldap module.

However, my users are in multiple OUs, and I can only specify one basedn at a time.  I know that's probably not good directory structure, but I don't manage our directory.  What approach to others use to search multiple basedns?

In case it would help, here is the relevant portions from my ldap module, which is curently working (I've remved most comments to make it concise:

ldap {
        server = xxx
        identity = "cn=ldapuser,ou=service accounts,dc=cphc,dc=local"
        password = xxx
        basedn = "dc=cphc,dc=local"  ***This doesn't work without a specific OU. My users are in multiple OUs****
        #basedn = "OU=CHA-Staff (No Folder Redir),DC=cphc,DC=local"
        filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"

        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1

        tls {
                start_tls = no
        }

        dictionary_mapping = ${confdir}/ldap.attrmap

        edir_account_policy_check = no

        groupname_attribute = cn
        groupmembership_filter = "(member=%{check:Ldap-UserDn})"
        groupmembership_attribute = member

        #compare_check_items = yes
        #do_xlat = yes
         access_attr_used_for_allow = yes
}

*One thing that confuses me is that ldapsearch works fine using basedn="dc=cphc,dc=local".


Any my error output:

[ldap] performing user authorization for jpjohnson
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=jpjohnson)
[ldap]  expand: dc=cphc,dc=local -> dc=cphc,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to tch-nt2.cphc.local:389, authentication 0
rlm_ldap: bind as cn=ldapuser,ou=service accounts,dc=cphc,dc=local/xxx to tch-nt2.cphc.local:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=cphc,dc=local, with filter (sAMAccountName=jpjohnson)
rlm_ldap: ldap_search() failed: Operations error
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail

-Jeff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130218/4c1a2e21/attachment.html>


More information about the Freeradius-Users mailing list