rlm_ldap fails but ldapsearch works
Victor
vik_viktor at yahoo.com
Thu Aug 6 11:25:28 CEST 2020
Hello Alan,
It turns out the problem was the undefined ldap admin bind credentials:
# identity = 'cn=admin,dc=example,dc=org'
# password = mypass
rlm_ldap uses the current user credentials for the user search bind, which works, but not for the group search, i.e. it binds anonymously per connection and therefore the requests fail.
Victor
On Sunday, August 2, 2020, 03:10:10 PM UTC, Alan DeKok <aland at deployingradius.com> wrote:
On Aug 2, 2020, at 10:47 AM, Victor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Well, from the wireshark LDAP protocol decode:
Which doesn't really help.
> -the answer to rlm_ldap:
...
> -the answer to ldapsearch:
Yes, you already said that in your first message. Repeating it doesn't help.
> rlm_ldap clearly doesn't get the same answer, almost to the same request (timeLimit differs):
Then blame the LDAP server. If the same query gives two different answers, then it's broken. Or, there's something happening behind the scenes. e.g. it's applying additional filters based on something else such as source IP.
Are you doing the ldapsearch from the same machine which is running FreeRADIUS?
But... in the end the issue is simple. The query used by FreeRADIUS is correct, but the answer returned by the LDAP server is wrong. You have to figure out what's wrong with the LDAP server, and why.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list