SV: LDAP Broken in 3.0?

Mikael Tomt mikael.tomt at mora.se
Sat Oct 19 08:47:40 CEST 2013 

636 works in v2.
I tried v3 on a different server, going to install v2 to check if everythings well with the server.

Im using ntlm to auth users and ldap to check their groups.
Heres debug output from post-auth:

(11) Login OK: [tommik0410] (from client MOA-WLC5 port 1 cli 34-c0-59-ad-27-0a)
(11) # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
(11)   post-auth {
(11)   update reply {
(11)            Service-Type = Framed-User
(11)            Tunnel-Type = VLAN
(11)            Tunnel-Medium-Type = IEEE-802
(11)   } # update reply = noop
(11)   ? if (Ldap-Group == "GGGSystemMOA-MAC-Disabled")
(11)    expand: "GGGSystemMOA-MAC-Disabled" -> 'GGGSystemMOA-MAC-Disabled'
(11) Searching for user in group "GGGSystemMOA-MAC-Disabled"
rlm_ldap (ldap): Reserved connection (4)
(11)    expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=tommik0410)'
(11)    expand: "dc=adm,dc=ovansiljan,dc=net" -> 'dc=adm,dc=ovansiljan,dc=net'
(11) Performing search in 'dc=adm,dc=ovansiljan,dc=net' with filter '(uid=tommik0410)'
(11) Waiting for search result...
(11) ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
(11) ERROR: Server said: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772.
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
Invalid operator for item Ldap-Group: reverting to '=='
(11)   ? if (Ldap-Group == "GGGSystemMOA-MAC-Disabled")  -> FALSE
(11)   ? elsif (Ldap-Group == "GGGSystemMOA-MAC-ADM")
(11)    expand: "GGGSystemMOA-MAC-ADM" -> 'GGGSystemMOA-MAC-ADM'
(11) Searching for user in group "GGGSystemMOA-MAC-ADM"
rlm_ldap (ldap): Reserved connection (4)
(11)    expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(uid=tommik0410)'
(11)    expand: "dc=adm,dc=ovansiljan,dc=net" -> 'dc=adm,dc=ovansiljan,dc=net'
(11) Performing search in 'dc=adm,dc=ovansiljan,dc=net' with filter '(uid=tommik0410)'
(11) Waiting for search result...
(11) ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
(11) ERROR: Server said: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772.
rlm_ldap (ldap): Released connection (4)


MvH Mikael Tomt
It-Enheten Mora, Orsa, Älvdalen

-----Ursprungligt meddelande-----
Från: freeradius-users-bounces+mikael.tomt=mora.se at lists.freeradius.org [mailto:freeradius-users-bounces+mikael.tomt=mora.se at lists.freeradius.org] För Arran Cudbard-Bell
Skickat: den 19 oktober 2013 08:21
Till: FreeRadius users mailing list
Ämne: Re: LDAP Broken in 3.0?


On 19 Oct 2013, at 06:56, Mikael Tomt <mikael.tomt at mora.se> wrote:

> Hello
> We are currently using freeradius 2.1.12 which works fine.
> I tried to install 3.0, everything went fine except ldap.
> When I try ldaps on port 636 it fails on startup with:
> rlm_ldap (ldap): Connecting to SERVERNAME:636 rlm_ldap (ldap): Bind 
> with CN=USERNAME,OU=XXX,DC=XXX,DC=XXX,DC=XXX to SERVER:636 failed: 
> Can't contact LDAP server rlm_ldap (ldap): Opening connection failed 
> (0) rlm_ldap (ldap): Removing connection pool
> /usr/etc/raddb/mods-enabled/ldap[1]: Instantiation failed for module "ldap" 

and connections to 636 used to work with v2?

> With ldap on port 389 it starts but fails when I connect with:
> (35) ERROR: Failed performing search: Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module configuration for details.
> (35) ERROR: Server said: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772.
>  
> I have chase_referrals=yes and rebind=yes in ldap module file and tried to move it around without success.

You did re-create your module config right? and not just hack a v2 one about? Chase referrals and rebind got moved to the options {} section, and must be listed there to work.

Anyway can you provide your full debug output please (from server start to the first authentication request).

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org> FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list