I have been using FR since around the .4 release days, so they will have to fight pretty hard to get me to dump it for ACS. :-) I looked into this but unfortunately messing with the AD schema attributes is usually frowned upon. Another FR user suggested I create multiple LDAP statements each pointing to a lower OU in the tree that is not so large. This seems like a logical idea except I can't seem to make it work right in 2.0.0. I know I have done this in a previous FR version, but I am stumped at this point. Here are the relevant portions - Radiusd.conf: modules { ldap a { ####### Active Directory LDAP Setup ####### server = *.*.*.1 #port = 3268 identity = "cn=***,ou=***,dc=***,dc=***" password = * basedn = "ou=a,dc=***,dc=***" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 timeout = 10 timelimit = 10 net_timeout = 1 edir_account_policy_check = no } ldap b { ####### Active Directory LDAP Setup ####### server = *.*.*.1 #port = 3268 identity = "cn=***,ou=***,dc=***,dc=***" password = * basedn = "ou=b,dc=***,dc=***" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 timeout = 10 timelimit = 10 net_timeout = 1 edir_account_policy_check = no } ldap c { ####### Active Directory LDAP Setup ####### server = *.*.*.1 #port = 3268 identity = "cn=***,ou=***,dc=***,dc=***" password = * basedn = "ou=c,dc=***,dc=***" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 timeout = 10 timelimit = 10 net_timeout = 1 edir_account_policy_check = no } Sites-available/default: authorize { # The ldap module will set Auth-Type to LDAP if it has not # already been set #ldap a b c } authenticate { # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { a b c } The debug from radiusd -X: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host *.*.*.* port 32856, id=154, length=60 User-Name = "testuser" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=testuser) expand: ou=a,dc=***,dc=*** -> ou=a,dc=***,dc=*** rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to *.*.*.*:389, authentication 0 rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=a,dc=***,dc=***, with filter (sAMAccountName=testuser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[a] returns notfound rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=testuser) expand: ou=b,dc=***,dc=*** -> ou=b,dc=***,dc=*** rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to *.*.*.*:389, authentication 0 rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=b,dc=***,dc=***, with filter (sAMAccountName=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[b] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=testuser) expand: ou=c,dc=***,dc=*** -> ou=c,dc=***,dc=*** rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to *.*.*.*:389, authentication 0 rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=c,dc=***,dc=***, with filter (sAMAccountName=testuser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[c] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [testuser/testing] (from client PCMCRADIUS2 port 1) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 154 to *.*.*.* port 32856 Waking up in 4.9 seconds. Cleaning up request 0 ID 154 with timestamp +9 Ready to process requests.
Alan DeKok wrote:
Capelle, Mark (PCMC-GB) wrote:
I have an issue since pointing FR to a point higher in my AD tree
(which will return more objects). I get the following error in my FR
logs when I try to authenticate a user:
Fri Feb 22 10:37:14 2008 : Error: rlm_ldap: ldap_search() failed:
Operations error
That's usually do to internal AD redirects, IIRC.
See also doc/rlm_ldap, which talks about "operations error".
Has anyone else encountered this and found a solution? I am fighting
like hell to not install the corporate standard Cisco ACS box at my
site, but if I can?t manage to get this working I may have to finally
cave L.
Ugh. Most sites I hear about are moving away from commercial products to FreeRADIUS.
Alan DeKok.