<div dir="ltr"><div><div><div><div>Hi,<br></div><div><br>"resending this post as the previous post was of larger size and hence blocked"<br><br></div>When I configure the freeradius 2.1.12 with the following ldap config where base-dn does not have the "cn=Users" configured, <br>
<b>basedn = "dc=KC-DC-Solutions,dc=com" </b>the authentication does not work fine with windows 2008 active directory.<br>
The same works fine with a server configured on linux box with openldap.
The openldap is able to search the user and authentication goes fine<br><br><p class="MsoNormal" style="margin-bottom:10pt;line-height:115%"> ldap ldap_primary {<br>
server = 172.31.100.250<br> port = 389<br> identity = "cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com"<br> password = "abcdefg"<br> <b>basedn = "dc=KC-DC-Solutions,dc=com"</b><br>
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"<br> start_tls = no<br> access_attr = "dialupacces"<br> dictionary_mapping = ${raddbdir}/ldap.attrma<br>
</p><p class="MsoNormal" style="margin-bottom:10pt;line-height:115%"><span style="color:rgb(31,73,125)"></span><span lang="EN"></span></p>With
windows AD the free radius fails in authenticating the client with the
reason " [ldap_primary] ldap_search() failed: Timed out while waiting
for server to respond. Please increase the timeout." <br>
The below are the radiusd logs <br><br>[ldap_primary] rlm_ldap: performing user authorization for Kiran<br>[ldap_primary] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
[ldap_primary] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=Kiran)<br>[ldap_primary] expand: dc=KC-DC-Solutions,dc=com -> dc=KC-DC-Solutions,dc=com<br> [ldap_primary] ldap_get_conn: Checking Id: 0<br>
[ldap_primary] ldap_get_conn: Got Id: 0<br> [ldap_primary] attempting LDAP reconnection<br> [ldap_primary] (re)connect to <a href="http://172.31.100.250:389" target="_blank">172.31.100.250:389</a>, authentication 0<br>
[ldap_primary] bind as cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com/abcdefg to <a href="http://172.31.100.250:389" target="_blank">172.31.100.250:389</a><br>
[ldap_primary] waiting for bind result ...<br> [ldap_primary] Bind was successful<br> [ldap_primary] performing search in dc=KC-DC-Solutions,dc=com, with filter (sAMAccountName=Kiran)<br> [ldap_primary] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.<br>
ldap server 172.31.100.250 is dead<br> [ldap_primary] attempting LDAP reconnection<br> [ldap_primary] closing existing LDAP connection<br> [ldap_primary] (re)connection attempt failed<br>[ldap_primary] search failed<br>
[ldap_primary] ldap_release_conn: Release Id: 0<br>+++[ldap_primary] returns fail<br>++- policy redundant returns fail<br>Invalid user: [Kiran] (from client localhost port 1 cli 00-1E-E5-F9-BE-BC<br><br><br></div>When I configure the same with basedn = "cn=Users,dc=KC-DC-Solutions,dc=com", the ldap search works fine and authentication goes fine<br>
ldap ldap_primary {<br> server = 172.31.100.250<br> port = 389<br> identity = "cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com"<br> password = "abcdefg"<br>
basedn = "cn=Users,dc=KC-DC-Solutions,dc=com"<br> filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"<br> start_tls = no<br> access_attr = "dialupacces"<br>
dictionary_mapping = ${raddbdir}/ldap.attrmap<br></div><br></div><div>Please let me know what needs to be done for the ldap search to work with windows AD when the cn is not configured.<br>
<br></div>Regards,<br>Winson</div>