LDAP search failed

Danner, Mearl jmdanner at samford.edu
Mon Jul 6 17:25:27 CEST 2015 


> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-
> bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of Hatim
> CHIKHI
> Sent: Monday, July 06, 2015 10:10 AM
> To: FreeRadius users mailing list
> Subject: Re: LDAP search failed
> 
> > myserver:389
> >   [ldap] waiting for bind result ...
> >   [ldap] Bind was successful
> >   [ldap] performing search in dc=3Dad,dc=3D****,dc=3Dfr, with filter
> > sAMAccountName=3Dhatim
> >   [ldap] rebind to URL ldap://*****
> >   [ldap] rebind to URL ldap://*****
> >   [ldap] rebind to URL ldap://*****
> > [ldap] no uid attribute - access denied by default
> 
> >Active Directory has no uid by default. The schema needs to be extended to
> provide it. And most provisioning software does not populate it even if it
> exists.
> 
> So this was the problem, I changed the value uid and set
> "sAMAccountName"
> and now it works.
> Thank you guys for you help.
> 
> 
> I have an other question, the ldap search is taking too much time, more
> than 10 seconds.
> I don't know if there is a way to speed up the search??

Probably a back end problem, not Freeradius.

Do you get the same lag using a command line ldap search?

Could be chasing referrals. Try the GC port 3268 (3269 for ssl). Not all attributes are available in the Global Catalog unless specified in the schema. They can be exposed by one of your AD admins if needed.

Also make sure all the attributes in your search strings are indexed. If they aren't search returns can be slow in a large directory.

> 
> 
> Thanks!
> 
> 2015-07-06 16:10 GMT+02:00 Hatim CHIKHI <hatim.networking at gmail.com>:
> 
> > > myserver:389
> > >   [ldap] waiting for bind result ...
> > >   [ldap] Bind was successful
> > >   [ldap] performing search in dc=3Dad,dc=3D****,dc=3Dfr, with filter
> > > sAMAccountName=3Dhatim
> > >   [ldap] rebind to URL ldap://*****
> > >   [ldap] rebind to URL ldap://*****
> > >   [ldap] rebind to URL ldap://*****
> > > [ldap] no uid attribute - access denied by default
> >
> > >Active Directory has no uid by default. The schema needs to be extended
> > to provide it. And most provisioning software does not populate it even if
> > it exists.
> >
> > So this was the problem, I changed the value uid and set
> "sAMAccountName"
> > and now it works.
> > Thank you guys for you help.
> >
> >
> > I have an other question, the ldap search is taking too much time, more
> > than 10 seconds.
> > I don't know if there is a way to speed up the search??
> >
> >
> > Thanks!
> >
> > 2015-07-03 18:05 GMT+02:00 Hatim CHIKHI
> <hatim.networking at gmail.com>:
> >
> >>
> >>   >When FreeRADIUS does the search for the user, it gets nothing.
> >>   >
> >>   > Perhaps because the search string is broken?
> >>
> >> But I get a result when I issue the search with ldapsearch
> >>
> >>
> >>   >That doesn't look right.  Where does that string come from?
> >> The 3D is added by gmail so it's not a problem
> >>
> >>
> >>
> >> 2015-07-03 15:25 GMT+02:00 Alan DeKok-2 [via FreeRADIUS] <
> >> ml-node+s1045715n5735114h65 at n5.nabble.com>:
> >>
> >>> On Jul 3, 2015, at 7:01 AM, Hatim CHIKHI <[hidden email]
> >>> <http:///user/SendEmail.jtp?type=node&node=5735114&i=0>> wrote:
> >>> > When I issue an ldap search I get many information about the user I'm
> >>> > looking for but I'm not sure if the search is successful:
> >>>
> >>>   When FreeRADIUS does the search for the user, it gets nothing.
> >>>
> >>>   Perhaps because the search string is broken?
> >>>
> >>> > In the radius logs, this time I'm getting this error:
> >>> >
> >>> > [ldap] performing user authorization for hatim
> >>> > [ldap]  expand: sAMAccountName=3D%{User-Name} ->
> >>> sAMAccountName=3Dhatim
> >>> > [ldap]  expand: dc=3Dad,dc=3D****,dc=3Dfr ->
> dc=3Dad,dc=3D****,dc=3Dfr
> >>>
> >>>   That doesn't look right.  Where does that string come from?
> >>>
> >>>   Alan DeKok.
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>>
> >>> ------------------------------
> >>>  If you reply to this email, your message will be added to the
> >>> discussion below:
> >>>
> >>> http://freeradius.1045715.n5.nabble.com/LDAP-search-failed-
> tp5735079p5735114.html
> >>>  To unsubscribe from FreeRADIUS, click here
> >>>
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro
> =unsubscribe_by_code&node=2740692&code=aGF0aW0ubmV0d29ya2luZ0B
> nbWFpbC5jb218Mjc0MDY5MnwxNzU1NTY4NDU2>
> >>> .
> >>> NAML
> >>>
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro
> =macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.n
> aml.namespaces.BasicNamespace-
> nabble.view.web.template.NabbleNamespace-
> nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscrib
> ers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-
> send_instant_email%21nabble%3Aemail.naml>
> >>>
> >>
> >>
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list