Moe, John <jmoe@hatch.com.au> wrote:
So I've gone back to FR's LDAP module and thought I'd give "ldap_debug" a try, despite the warning. Surprisingly, it spit out one extra line in my debug:
rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter (sAMAccountName=username) Unable to chase referral "ldap://my.domain.name/dc=my,dc=domain,dc=name" (-1: Can't contact LDAP server) rlm_ldap: ldap_search() failed: Referral
If I copy and paste that url "ldap://my.domain.name/dc=my,dc=domain,dc=name" into my Windows box, it opens LDAP Browser and connects just fine to my domain, so I assume the syntax of that is right. And if I use just "my.domain.name" in ldapsearch as the host, it works there as well. Any idea why this wouldn't work?
Looks like[2] if you do not make an anonymous bind to AD your problems might go away or alternatively change you base to to be not the root of your directory.
Out of curiousity, do I need to configure OpenLDAP on the server at all? Or does this module's conf take care of that for me, for this purpose?
No need in theory, I personally do just to fix up certificate validation[1] when using ldapsearch and whatnot though. Cheers [1] TLS_CACERT /etc/ssl/certs/ca-certificates.crt [2] http://lists.cistron.nl/pipermail/freeradius-users/2005-December/msg00228.ht... and http://bytes.com/topic/php/answers/11274-use-php-authenticate-ad -- Alexander Clouter .sigmonster says: You are magnetic in your bearing.