<div dir="ltr">ok, in freeradius 2 i've used in post-auth if (LDAP-Group == "blabla") { ... } and all works fine but in freeradius 3??<div><br></div><div>i've tryed to set scope=base in ldap config and the result is</div>
<div><div>(0) Waiting for search result...</div><div>(0) Search returned no results</div></div><div><br></div><div>The credentials are ok, can you tell me what mean "try using the global catalog server, instead of a local AD server" ?? </div>
<div><br></div><div>if i perform a ldap search </div><div> ldapsearch -h 10.0.0.19 -b "dc=intra,dc=ismaa,dc=it" -D "cn=squid,dc=intra,dc=ismaa,dc=it" -w "XXXXXXXX" '(&(objectCategory=person)(objectClass=user)(sAMAccountName=critest))'<br>
</div><div><br></div><div>the result is:</div><div><div># extended LDIF</div><div>#</div><div># LDAPv3</div><div># base <dc=intra,dc=ismaa,dc=it> with scope subtree</div><div># filter: (&(objectCategory=person)(objectClass=user)(sAMAccountName=critest))</div>
<div># requesting: ALL</div><div>#</div><div><br></div><div># critest test, UO_Test2, Computers_SUS, <a href="http://intra.ismaa.it">intra.ismaa.it</a></div><div>dn: CN=critest test,OU=UO_Test2,OU=Computers_SUS,DC=intra,DC=ismaa,DC=it</div>
<div>objectClass: top</div><div>objectClass: person</div><div>objectClass: organizationalPerson</div><div>objectClass: user</div><div>cn: critest test</div><div>sn: test</div><div>givenName: critest</div><div>distinguishedName: CN=critest test,OU=UO_Test2,OU=Computers_SUS,DC=intra,DC=is</div>
<div> maa,DC=it</div><div>instanceType: 4</div><div>whenCreated: 20130314153458.0Z</div><div>whenChanged: 20131022132244.0Z</div><div>displayName: critest test</div><div>uSNCreated: 107373282</div><div>memberOf: CN=radius_cri,OU=RADIUS,OU=FEM,DC=intra,DC=ismaa,DC=it</div>
<div>memberOf: CN=dipendenti,OU=Internet,DC=intra,DC=ismaa,DC=it</div><div>memberOf: CN=K_Internet_Dipendenti,OU=Internet,DC=intra,DC=ismaa,DC=it</div><div>uSNChanged: 358179580</div><div>name: critest test</div><div>objectGUID:: JJ+bzzA9tEGdjQtyd8J8Kw==</div>
<div>userAccountControl: 512</div><div>badPwdCount: 1</div><div>codePage: 0</div><div>countryCode: 0</div><div>homeDirectory: \\IASMA003\utenti\critest</div><div>homeDrive: M:</div><div>badPasswordTime: 130269164412391214</div>
<div>lastLogoff: 0</div><div>lastLogon: 130269081333443991</div><div>scriptPath: mainbatch.bat</div><div>pwdLastSet: 130269217648210862</div><div>primaryGroupID: 513</div><div>objectSid:: AQUAAAAAAAUVAAAAiqcyP6M80yZDFwoyPjAAAA==</div>
<div>accountExpires: 0</div><div>logonCount: 95</div><div>sAMAccountName: critest</div><div>division: 0da9ce1da208fc1751dcd52e479c6384869949f4</div><div>sAMAccountType: 805306368</div><div>userPrincipalName: <a href="mailto:critest@intra.ismaa.it">critest@intra.ismaa.it</a></div>
<div>lockoutTime: 0</div><div>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=intra,DC=ismaa,DC=it</div><div>dSCorePropagationData: 20130411130311.0Z</div><div>dSCorePropagationData: 20130411130311.0Z</div><div>dSCorePropagationData: 20130411130311.0Z</div>
<div>dSCorePropagationData: 16010108151056.0Z</div><div><br></div><div># search reference</div><div>ref: ldap://<a href="http://ForestDnsZones.intra.ismaa.it/DC=ForestDnsZones,DC=intra,DC=ismaa">ForestDnsZones.intra.ismaa.it/DC=ForestDnsZones,DC=intra,DC=ismaa</a>,</div>
<div> DC=it</div><div><br></div><div># search reference</div><div>ref: ldap://<a href="http://DomainDnsZones.intra.ismaa.it/DC=DomainDnsZones,DC=intra,DC=ismaa">DomainDnsZones.intra.ismaa.it/DC=DomainDnsZones,DC=intra,DC=ismaa</a>,</div>
<div> DC=it</div><div><br></div><div># search reference</div><div>ref: ldap://<a href="http://intra.ismaa.it/CN=Configuration,DC=intra,DC=ismaa,DC=it">intra.ismaa.it/CN=Configuration,DC=intra,DC=ismaa,DC=it</a></div><div>
<br></div><div># search result</div><div>search: 2</div><div>result: 0 Success</div><div><br></div><div># numResponses: 5</div><div># numEntries: 1</div><div># numReferences: 3</div></div><div><br></div><div><br></div><div>
<br></div><div>surely the fault is mine, but I do not understand where it is...<br></div><div><br></div><div>thank you!!</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2013/10/25 Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">Davide Garofalo wrote:<br>
> i've a big problem with the new module ldap.<br>
<br>
</div> It's a problem with active directory.<br>
<div class="im"><br>
> when i perform a ldap request i've this error<br>
> Fri Oct 25 14:16:30 2013 : ERROR: (0) ERROR: Failed performing search:<br>
> Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module<br>
> configuration for details.<br>
> Fri Oct 25 14:16:30 2013 : ERROR: (0) ERROR: Server said: 00000000:<br>
> LdapErr: DSID-0C090627, comment: In order to perform this operation a<br>
> successful bind must be completed on the connection., data 0, vece.<br>
<br>
</div> That would seem to be obvious. Do you have it configured to use the<br>
correct credentials? Or, try using the global catalog server, instead<br>
of a local AD server.<br>
<br>
You might not know this, but AD isn't really an LDAP server. It<br>
pretends to be one sometimes. But for critical issues... it's not.<br>
<br>
DON'T do "-Xxxxxxx". It's pointless. "-X" is enough.<br>
<br>
The debug log says:<br>
<br>
> Fri Oct 25 11:57:16 2013 : Info: Invalid operator for item Ldap-Group:<br>
reverting to '=='<br>
<br>
Fix that. It won't solve the problem, but it will help.<br>
<span class="HOEnZb"><font color="#888888"><br>
Alan DeKok.<br>
</font></span><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><b>Davide Garofalo</b><br><br><div><img src="http://qr.kaywa.com/?l=1&s=2&d=http%3A%2F%2Fkaywa.me%2F00y16"><br></div></div>
</div>