On 28.02.2020 14:08, Alan DeKok wrote:
On Feb 28, 2020, at 8:04 AM, uj2.hahn@posteo.de wrote:
Why is that user special? i.e. what is different about that user account, versus the normal user accounts? Nothing! It is a normal user account I provide manually, e.g. my own. If normal users don't get these redirects or blocking behaviour, then *something* is different. It is only the use model in this special case: to have 15 auth requests with same credentials at same time (or at least within few seconds).
But I got enough hints and ideas from you to run some tests and experiments. I can give feedback as soon as I have a solution or a better understanding what is going on. Thanks Uwe
And what are you doing with LDAP in the post-auth section? Group checking to start some authorizing, e.g. students have login time limitations but teachers don't have limitations. That should be fine.
But... if the AD server is giving out referrals, then it's likely misconfigured. It should just answer the query itself.
Your LDAP server is referring the query to a different AD domain. That's pretty clear. I guess this is a LDAP server configuration issue, I need ldap://moritz.local only. Or can I tweak the LDAP query to focus on this domain only? No. The issue isn't the LDAP query. The issue is that the AD server thinks the information isn't available at that DN. Instead, it gives a referral.
So... fix the AD server to have the information at that DN. This is all AD magic, and I (very deliberately) know nothing about it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html