Thank you for the suggestions / tips Frank.. Here is the results from the command you gave me: [root@localhost ~]# ldapsearch -x -h 10.1.1.11 -D "CN=admin,OU=People,DC=tfxschool,DC=internal" -w pass -b "o=tfxschool,c=AU" 'objectclass=*' # extended LDIF # # LDAPv3 # base <o=tfxschool,c=AU> with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 # numResponses: 1 ---------------------------------------- Im about to install unix services for windows on my 2003 server and run my search command again to see if it populates the fields in ldap some more (reccomended from the gentoo wiki's " HOWTO Authenticate from Active Directory using OpenLDAP). Also, it seems to me that freeradius is anonymously binding even though I have set these 2 lines under "ldap {" identity = "cn=admin,o=tfxschool,c=AU" password = pass here is the entry for admin which I retrieved using this command: ldapsearch -h 10.1.1.11 -x -b "dc=tfxschool,dc=internal" -x -LLL -s sub 'objectclass=*' dn: CN=admin,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: admin title: tfxschool givenName: admin distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070426003712.0Z whenChanged: 20070426014259.0Z displayName: admin uSNCreated: 82400 uSNChanged: 82415 department: tfxschool company: tfxschool name: admin objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128220214326562500 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAKyI9FO9VW1CmlC13bwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: admin sAMAccountType: 805306368 userPrincipalName: admin@tfxschool.internal objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal Thanks in adavance, I appreciate the info very much. On 4/26/07, Ranner, Frank MR <Frank.Ranner@defence.gov.au> wrote:
Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree.
ldapsearch -x -h <hostname> -D "cn=admin,o=tfxschool,c=AU" -w pass -b "o=tfxschool,c=AU" 'objectclass=*'
This will show you what attributes there are, and whether the password is readable.
Regards, Frank Ranner
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error
radiusd.conf: radiusd -X -f: http://pastebin.ca/458790
Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = "cn=admin,o=tfxschool,c=AU" password = pass
As I have been told anonymous binding is not the way to go for confirming username/password.
From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user.
output in question:
rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html