LDAP Query: Not Found
How can I further troubleshoot what might be the cause for my query against LDAP to return no results? I have verified the following from debugging and testing: [ ... SNIP ... ] # Loaded module rlm_ldap # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "dc01.myDomain.com" port = 3268 password = <<< secret >>> identity = "CN=Free RADIUS,CN=Users,DC=myDomain,DC=com" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "DC=myDomain,DC=com" access_positive = yes } group { filter = "(objectClass=posixGroup)" scope = "sub" base_dn = "DC=myDomain,DC=com" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "DC=myDomain,DC=com" attribute { identifier = "radiusClientIdentifier" shortname = "cn" secret = "radiusClientSecret" } } profile { filter = "(&)" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1 rlm_ldap: libldap vendor: OpenLDAP version: 20439 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful } # modules [ ... SNIP ... ] So it appears to be binding to LDAP ok. I am binding on port 3268 to reference the global catalog and search sub-domains. [ ... SNIP ... ] Ready to process requests Received Access-Request Id 32 from 172.18.1.2:1025 to 172.18.2.100:1812 length 66 User-Name = 'spickles' User-Password = '****' NAS-IP-Address = 172.18.1.2 NAS-Port = 32 NAS-Port-Type = Virtual (1) Received Access-Request packet from host 172.18.1.2 port 1025, id=32, length=66 (1) User-Name = 'spickles' (1) User-Password = '****' (1) NAS-IP-Address = 172.18.1.2 (1) NAS-Port = 32 (1) NAS-Port-Type = Virtual (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) rewrite_calling_station_id rewrite_calling_station_id { (1) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (1) ERROR: Failed retrieving values required to evaluate condition (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # rewrite_calling_station_id rewrite_calling_station_id = noop (1) eap : No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=spickles) (1) ldap : EXPAND DC=myDomain,DC=COM (1) ldap : --> DC=myDomain,DC=COM (1) ldap : Performing search in 'DC=myDomain,DC=COM' with filter '(uid=spickles)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Search returned no results rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): 0 of 1 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5) rlm_ldap (ldap): Connecting to rochdc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = notfound (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Login incorrect (Failed retrieving values required to evaluate condition): [spickles/****] (from client <<client_short_name>> port 32) (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> spickles (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (1) [eap] = noop (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (1) Sending delayed response (1) Sending Access-Reject packet to host 172.18.1.2 port 1025, id=32, length=0 Sending Access-Reject Id 32 from 172.18.2.100:1812 to 172.18.1.2:1025 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 32 with timestamp +189 Ready to process requests [ ... SNIP ... ] Not sure why it didn't find my user. My user is in the standard container (i.e. CN=Users) so I would think that sub would search there and find it? Perhaps that is my problem and either my base is incorrect or my scope is not correct? However, this seems to be correct according to the wiki (modules/Rlm_ldap). A final test with 'ldapsearch' yields similar results with no further information: [ ... SNIP ... ] []# ldapsearch -x -b "DC=myDomain,DC=com" -D "CN=Free RADIUS,CN=Users,DC=myDomain,DC=com" -h myDomain.com -w "<<password>>" "(&(CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com))" # extended LDIF # # LDAPv3 # base <DC=myDomain,DC=com> with scope subtree # filter: (&(CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com)) # requesting: ALL #
# search reference ref: ldap://DomainDnsZones.myDomain.com/DC=DomainDnsZones,DC=myDomain, DC=com # search result search: 2
result: 0 Success
# numResponses: 2 # numReferences: 1 [ ... SNIP ... ] The only other thing I can think of is that the user that I'm binding to AD with to read information doesn't have the right permissions? But I would also think that the bind wouldn't be successful in the first place for the module if that were the case? I don't know what direction to take this in next to get more information. I would check the logs but since I'm running the server in debug mode the logs would just be duplicates of what I already have, correct?
You are not getting any results. The same with ldapsearch So use an ldap explorer tool or talk to the ldap/AD expert at your site to get info about the schema. Openlap is uid, AD is usually eg sAMAccountName Once you've got the right tag and paths it'll all work alan
sAMAccountName is what resolved that issue. I am using unlang to have AD check my user's group membership and then I want to use ntlm_auth to authenticate. Almost there, just a bit stuck: Received Access-Request Id 48 from 172.18.1.2:1025 to 172.18.2.100:1812 length 66 User-Name = 'spickles' User-Password = '****' NAS-IP-Address = 172.18.1.2 NAS-Port = 48 NAS-Port-Type = Virtual (0) Received Access-Request packet from host 172.18.1.2 port 1025, id=48, length=66 (0) User-Name = 'spickles' (0) User-Password = '****' (0) NAS-IP-Address = 172.18.1.2 (0) NAS-Port = 48 (0) NAS-Port-Type = Virtual
/etc/raddb/clients.conf configuration points my NAS to the site file 'cisco_asa' via virtual_server = cisco_asa (0) # Executing section authorize from file /etc/raddb/sites-enabled/cisco_asa
(0) authorize { (0) [preprocess] = ok (0) [mschap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (sAMAccountName=spickles) (0) ldap : EXPAND DC=myDomain,DC=com (0) ldap : --> DC=myDomain,DC=com (0) ldap : Performing search in 'DC=myDomain,DC=com' with filter '(sAMAccountName=spickles)', scope 'sub' (0) ldap : Waiting for search result...
This is good (0) ldap : User object found at DN "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com"
(0) ldap : Processing user attributes
This is expected because I'm just using LDAP to check group membership (0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) if (Ldap-Group == "VPN-Internal") (0) Searching for user in group "VPN-Internal" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com" (0) Checking for user in group objects (0) EXPAND (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (0) --> (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles))) (0) EXPAND DC=myDomain,DC=com (0) --> DC=myDomain,DC=com (0) Performing search in 'DC=myDomain,DC=com' with filter '(&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles)))', scope 'sub' (0) Waiting for search result...
How come search fails first time (0) Search returned no results (0) Search returned not found
(0) Checking user object membership (memberOf) attributes (0) Performing unfiltered search in 'CN=Scott Pickles,CN=Users,DC=myDomain,DC=com', scope 'base' (0) Waiting for search result... (0) Processing group membership value "CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com', scope 'base' (0) Waiting for search result...
But works the second time? (0) Group name is "VPN-Internal" (0) User found. Comparison between membership: name (resolved from DN), check: name
rlm_ldap (ldap): Released connection (4) (0) if (Ldap-Group == "VPN-Internal") -> TRUE (0) if (Ldap-Group == "VPN-Internal") { (0) [ok] = ok (0) } # if (Ldap-Group == "VPN-Internal") = ok (0) ... skipping else for request 0: Preceding "if" was taken (0) } # authorize = ok
To fix this, do I add Auth-Type to my unlang statement? (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
server cisco_asa { authorize { preprocess mschap files ldap if(Ldap-Group == "VPN-Internal") { #Setting 'Auth-Type := ntlm_auth' here fails # Loading authorize {...} #/etc/raddb/sites-enabled/cisco_asa[8] Invalid return code assigment inside of a if section #/etc/raddb/sites-enabled/cisco_asa[2]: Errors parsing authorize section. #setting 'ntlm_auth' here doesn't seem to be necessary? ok } else { reject } }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth } }
This is obviously where it's failing, but authenticate also has ntlm_auth as I thought it should? Seems like I just need to tweak the authorize/authenticate sections? (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [spickles/****] (from client ROCH_FIREWALL port 48) (0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/cisco_asa (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> spickles (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 172.18.1.2 port 1025, id=48, length=0 Sending Access-Reject Id 48 from 172.18.2.100:1812 to 172.18.1.2:1025 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 48 with timestamp +7 Ready to process requests On Tuesday, July 28, 2015 12:43 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote: You are not getting any results. The same with ldapsearch So use an ldap explorer tool or talk to the ldap/AD expert at your site to get info about the schema. Openlap is uid, AD is usually eg sAMAccountName Once you've got the right tag and paths it'll all work alan
Hi,
How come search fails first time (0) Search returned no results (0) Search returned not found
different scope
To fix this, do I add Auth-Type to my unlang statement? (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
in version 2 this is one of the times when you would set the Auth-Type...as per some of the docs. in versiojn 3 this is much different...and I would advise that you use version 3 in version 2 you could probably do something like this (after the PAP section in Authorize) if (!control:Auth-Type) { update control { Auth-Type = "ntlm_auth" } } alan
I am using version 3 (3.0.4). I am sending a test from a Cisco ASA. Is it possible that the request doesn't contain an Auth-Type? On Tuesday, July 28, 2015 5:44 PM, "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> wrote: Hi,
>>How come search fails first time >>(0) Search returned no results >>(0) Search returned not found
different scope
>>To fix this, do I add Auth-Type to my unlang statement? >>(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
in version 2 this is one of the times when you would set the Auth-Type...as per some of the docs. in versiojn 3 this is much different...and I would advise that you use version 3 in version 2 you could probably do something like this (after the PAP section in Authorize) if (!control:Auth-Type) { update control { Auth-Type = "ntlm_auth" } } alan
Requests don't contain an Auth-Type , that's a freeradius internal control attribute. If you run in debug mode you will see the contents of the radius datagram and for each packet you will see exactly what the radius server does which each packet...what policies and decisions are made and why alan
Ok I'll go back and re-read that. I've been saving all of my debug output and making notes. So it sounds like I need to understand where my config is broken such that the server isn't able to update the control with the appropriate Auth-Type? I'm asking that question because my understanding is that I shouldn't have to? On Wednesday, July 29, 2015 1:15 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote: Requests don't contain an Auth-Type , that's a freeradius internal control attribute. If you run in debug mode you will see the contents of the radius datagram and for each packet you will see exactly what the radius server does which each packet...what policies and decisions are made and why alan
This is what I read in documentation that leads me to believe my previous statement: config/Auth Type | | | | | | | | | config/Auth Type'''Auth-Type''' is an internal check item (i.e. a special RADIUS attribute) that is used to identify the authentication type to be used for a particular user (authentication request). | | | | View on wiki.freeradius.org | Preview by Yahoo | | | | | On Wednesday, July 29, 2015 1:39 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: Ok I'll go back and re-read that. I've been saving all of my debug output and making notes. So it sounds like I need to understand where my config is broken such that the server isn't able to update the control with the appropriate Auth-Type? I'm asking that question because my understanding is that I shouldn't have to? On Wednesday, July 29, 2015 1:15 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote: Requests don't contain an Auth-Type , that's a freeradius internal control attribute. If you run in debug mode you will see the contents of the radius datagram and for each packet you will see exactly what the radius server does which each packet...what policies and decisions are made and why alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
This is what I read in documentation that leads me to believe my previous statement: config/Auth Type
yep. internal item...specific to the server being used. its not in the request. in version 2 you had to usually end up setting it manually for a lot of LDAP installs... hence all the things out there about setting it in users file etc.....in version 3 its all updated and done in different (documented) ways - read the mods-available/ldap file ....look for the part about 'set_auth_type'! :-) alan
Thanks Alan. I did read that and just about everything else I have read indicates that we shouldn't set that? Anyways, I'll give it a try. I have currently started over again because I read a LOT of posts where Alan D. indicates to keep the base configs and ONLY modify what you need. In other words, removing stuff largely results in breaking the server and that is the fault of the end user, not FreeRADIUS :) So I have done this, and right now I'm failing at 'suffix' because there is no realm defined.
(1) suffix : Checking for suffix after "@" (1) suffix : Looking up realm "fujiesystems.com" for User-Name = "spickles@myDomain.com" (1) suffix : No such realm "myDomain.com" (1) [suffix] = noop
That was defined in my proxy.conf in my previous setup, but I'm not proxying (everything will be handled by this server). So do I hardcode realm somewhere, comment out suffix, or put proxying back in because even though things handed off to the same host via virtual servers, etc. at localhost are still considered proxying? In my previous configuration suffix was included but so was proxying. My understanding of proxying is handing the request to another physical/virtual host/different IP address as opposed to localhost. Below are the changes I've made this time around: /etc/raddb/radiusd.conf
# PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server.>># # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = no #$INCLUDE proxy.conf /etc/raddb/proxy.conf>>proxy server { default_fallback = no }
home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 secret = <<secret>> }
realm myDomain.com { type = radius secret = <<secret>> authhost = LOCAL accthost = LOCAL }
realm NULL { }
realm LOCAL { }
On Wednesday, July 29, 2015 3:22 PM, "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> wrote: Hi,
This is what I read in documentation that leads me to believe my previous statement: config/Auth Type
yep. internal item...specific to the server being used. its not in the request. in version 2 you had to usually end up setting it manually for a lot of LDAP installs... hence all the things out there about setting it in users file etc.....in version 3 its all updated and done in different (documented) ways - read the mods-available/ldap file ....look for the part about 'set_auth_type'! :-) alan
Add it to proxy.conf realm myDomain.com { } Then the server knows to deal with it. Whether you need to strip the realm or not is up to you But, suffix is not giving you an error. It's reporting things but the result is 'noop' - no operation. ie nothing has changed. alan
Crap - I'm also missing my symbolic link in mods-enabled for ldap. On Wednesday, July 29, 2015 5:47 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote: Add it to proxy.conf realm myDomain.com { } Then the server knows to deal with it. Whether you need to strip the realm or not is up to you But, suffix is not giving you an error. It's reporting things but the result is 'noop' - no operation. ie nothing has changed. alan
From the documentation within the ldap module, I added the following to my default site config: # The ldap module reads passwords from the LDAP database. ldap if(Ldap-Group == "VPN-Internal") { if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } } else { reject } ntlm_auth I get the following error: /etc/raddb/sites-enabled/default[386]: Unknown value 'ldap' for attribute 'Auth-Type' /etc/raddb/sites-enabled/default[385]: Failed to parse "update" subsection. /etc/raddb/sites-enabled/default[384]: Failed to parse "if" subsection. /etc/raddb/sites-enabled/default[254]: Errors parsing authorize section. I thought I saw somewhere that I have to add that to the dictionary?
On Tuesday, July 28, 2015 5:44 PM, "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> wrote: Hi,
>>How come search fails first time >>(0) Search returned no results >>(0) Search returned not found
different scope
>>To fix this, do I add Auth-Type to my unlang statement? >>(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
in version 2 this is one of the times when you would set the Auth-Type...as per some of the docs. in versiojn 3 this is much different...and I would advise that you use version 3 in version 2 you could probably do something like this (after the PAP section in Authorize) if (!control:Auth-Type) { update control { Auth-Type = "ntlm_auth" } } alan
Doh! Nevermind. Had to uncomment the auth-type declaration for ldap in the authenticate section. On Thursday, July 30, 2015 11:56 AM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: From the documentation within the ldap module, I added the following to my default site config: # The ldap module reads passwords from the LDAP database. ldap if(Ldap-Group == "VPN-Internal") { if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } } else { reject } ntlm_auth I get the following error: /etc/raddb/sites-enabled/default[386]: Unknown value 'ldap' for attribute 'Auth-Type' /etc/raddb/sites-enabled/default[385]: Failed to parse "update" subsection. /etc/raddb/sites-enabled/default[384]: Failed to parse "if" subsection. /etc/raddb/sites-enabled/default[254]: Errors parsing authorize section. I thought I saw somewhere that I have to add that to the dictionary? On Tuesday, July 28, 2015 5:44 PM, "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> wrote: Hi,
>>How come search fails first time >>(0) Search returned no results >>(0) Search returned not found
different scope
>>To fix this, do I add Auth-Type to my unlang statement? >>(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
in version 2 this is one of the times when you would set the Auth-Type...as per some of the docs. in versiojn 3 this is much different...and I would advise that you use version 3 in version 2 you could probably do something like this (after the PAP section in Authorize) if (!control:Auth-Type) { update control { Auth-Type = "ntlm_auth" } } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Doh! Nevermind. Had to uncomment the auth-type declaration for ldap in the authenticate section.
hey its all good, you are getting there... (rather publically mind...maybe struggle just a little bit longer, looking at eg the debug and having a break each time before posting? :-) ) so....looking good for you? alan
I think I'm good with the LDAP part so I am breaking out of this and continuing with the post: 'ntlm_auth: hex decode of 00 failed' On Thursday, July 30, 2015 1:02 PM, "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> wrote: Hi,
Doh! Nevermind. Had to uncomment the auth-type declaration for ldap in the authenticate section.
hey its all good, you are getting there... (rather publically mind...maybe struggle just a little bit longer, looking at eg the debug and having a break each time before posting? :-) ) so....looking good for you? alan
please don’t send email On Jul 29, 2015, at 04:17, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
sAMAccountName is what resolved that issue. I am using unlang to have AD check my user's group membership and then I want to use ntlm_auth to authenticate. Almost there, just a bit stuck: Received Access-Request Id 48 from 172.18.1.2:1025 to 172.18.2.100:1812 length 66 User-Name = 'spickles' User-Password = '****' NAS-IP-Address = 172.18.1.2 NAS-Port = 48 NAS-Port-Type = Virtual (0) Received Access-Request packet from host 172.18.1.2 port 1025, id=48, length=66 (0) User-Name = 'spickles' (0) User-Password = '****' (0) NAS-IP-Address = 172.18.1.2 (0) NAS-Port = 48 (0) NAS-Port-Type = Virtual
/etc/raddb/clients.conf configuration points my NAS to the site file 'cisco_asa' via virtual_server = cisco_asa (0) # Executing section authorize from file /etc/raddb/sites-enabled/cisco_asa
(0) authorize { (0) [preprocess] = ok (0) [mschap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (sAMAccountName=spickles) (0) ldap : EXPAND DC=myDomain,DC=com (0) ldap : --> DC=myDomain,DC=com (0) ldap : Performing search in 'DC=myDomain,DC=com' with filter '(sAMAccountName=spickles)', scope 'sub' (0) ldap : Waiting for search result...
This is good (0) ldap : User object found at DN "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com"
(0) ldap : Processing user attributes
This is expected because I'm just using LDAP to check group membership (0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) if (Ldap-Group == "VPN-Internal") (0) Searching for user in group "VPN-Internal" rlm_ldap (ldap): Reserved connection (4) (0) Using user DN from request "CN=Scott Pickles,CN=Users,DC=myDomain,DC=com" (0) Checking for user in group objects (0) EXPAND (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) (0) --> (&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles))) (0) EXPAND DC=myDomain,DC=com (0) --> DC=myDomain,DC=com (0) Performing search in 'DC=myDomain,DC=com' with filter '(&(cn=VPN-Internal)(objectClass=posixGroup)(|(member=CN\3dScott Pickles\2cCN\3dUsers\2cDC\3dmyDomain\2cDC\3dcom)(memberUid=spickles)))', scope 'sub' (0) Waiting for search result...
How come search fails first time (0) Search returned no results (0) Search returned not found
(0) Checking user object membership (memberOf) attributes (0) Performing unfiltered search in 'CN=Scott Pickles,CN=Users,DC=myDomain,DC=com', scope 'base' (0) Waiting for search result... (0) Processing group membership value "CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com', scope 'base' (0) Waiting for search result...
But works the second time? (0) Group name is "VPN-Internal" (0) User found. Comparison between membership: name (resolved from DN), check: name
rlm_ldap (ldap): Released connection (4) (0) if (Ldap-Group == "VPN-Internal") -> TRUE (0) if (Ldap-Group == "VPN-Internal") { (0) [ok] = ok (0) } # if (Ldap-Group == "VPN-Internal") = ok (0) ... skipping else for request 0: Preceding "if" was taken (0) } # authorize = ok
To fix this, do I add Auth-Type to my unlang statement? (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
server cisco_asa { authorize { preprocess mschap files ldap if(Ldap-Group == "VPN-Internal") { #Setting 'Auth-Type := ntlm_auth' here fails # Loading authorize {...} #/etc/raddb/sites-enabled/cisco_asa[8] Invalid return code assigment inside of a if section #/etc/raddb/sites-enabled/cisco_asa[2]: Errors parsing authorize section. #setting 'ntlm_auth' here doesn't seem to be necessary? ok } else { reject } }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } ntlm_auth } }
This is obviously where it's failing, but authenticate also has ntlm_auth as I thought it should? Seems like I just need to tweak the authorize/authenticate sections? (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [spickles/****] (from client ROCH_FIREWALL port 48) (0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/cisco_asa (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> spickles (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 172.18.1.2 port 1025, id=48, length=0 Sending Access-Reject Id 48 from 172.18.2.100:1812 to 172.18.1.2:1025 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 48 with timestamp +7 Ready to process requests
On Tuesday, July 28, 2015 12:43 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
You are not getting any results. The same with ldapsearch
So use an ldap explorer tool or talk to the ldap/AD expert at your site to get info about the schema. Openlap is uid, AD is usually eg sAMAccountName
Once you've got the right tag and paths it'll all work
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What did you get if you use ldapsearch to query ldap from command line? Did you get anything return? Yu -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Scott Pickles via Freeradius-Users Sent: Tuesday, July 28, 2015 12:25 PM To: FreeRadius Users Mailing List Subject: LDAP Query: Not Found How can I further troubleshoot what might be the cause for my query against LDAP to return no results? I have verified the following from debugging and testing: [ ... SNIP ... ] # Loaded module rlm_ldap # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "dc01.myDomain.com" port = 3268 password = <<< secret >>> identity = "CN=Free RADIUS,CN=Users,DC=myDomain,DC=com" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "DC=myDomain,DC=com" access_positive = yes } group { filter = "(objectClass=posixGroup)" scope = "sub" base_dn = "DC=myDomain,DC=com" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "DC=myDomain,DC=com" attribute { identifier = "radiusClientIdentifier" shortname = "cn" secret = "radiusClientSecret" } } profile { filter = "(&)" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1 rlm_ldap: libldap vendor: OpenLDAP version: 20439 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful } # modules [ ... SNIP ... ] So it appears to be binding to LDAP ok. I am binding on port 3268 to reference the global catalog and search sub-domains. [ ... SNIP ... ] Ready to process requests Received Access-Request Id 32 from 172.18.1.2:1025 to 172.18.2.100:1812 length 66 User-Name = 'spickles' User-Password = '****' NAS-IP-Address = 172.18.1.2 NAS-Port = 32 NAS-Port-Type = Virtual (1) Received Access-Request packet from host 172.18.1.2 port 1025, id=32, length=66 (1) User-Name = 'spickles' (1) User-Password = '****' (1) NAS-IP-Address = 172.18.1.2 (1) NAS-Port = 32 (1) NAS-Port-Type = Virtual (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) rewrite_calling_station_id rewrite_calling_station_id { (1) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (1) ERROR: Failed retrieving values required to evaluate condition (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # rewrite_calling_station_id rewrite_calling_station_id = noop (1) eap : No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=spickles) (1) ldap : EXPAND DC=myDomain,DC=COM (1) ldap : --> DC=myDomain,DC=COM (1) ldap : Performing search in 'DC=myDomain,DC=COM' with filter '(uid=spickles)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Search returned no results rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): 0 of 1 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5) rlm_ldap (ldap): Connecting to rochdc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = notfound (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Login incorrect (Failed retrieving values required to evaluate condition): [spickles/****] (from client <<client_short_name>> port 32) (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> spickles (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (1) [eap] = noop (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (1) Sending delayed response (1) Sending Access-Reject packet to host 172.18.1.2 port 1025, id=32, length=0 Sending Access-Reject Id 32 from 172.18.2.100:1812 to 172.18.1.2:1025 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 32 with timestamp +189 Ready to process requests [ ... SNIP ... ] Not sure why it didn't find my user. My user is in the standard container (i.e. CN=Users) so I would think that sub would search there and find it? Perhaps that is my problem and either my base is incorrect or my scope is not correct? However, this seems to be correct according to the wiki (modules/Rlm_ldap). A final test with 'ldapsearch' yields similar results with no further information: [ ... SNIP ... ] []# ldapsearch -x -b "DC=myDomain,DC=com" -D "CN=Free RADIUS,CN=Users,DC=myDomain,DC=com" -h myDomain.com -w "<<password>>" "(&(CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com))" # extended LDIF # # LDAPv3 # base <DC=myDomain,DC=com> with scope subtree # filter: (&(CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com)) # requesting: ALL #
# search reference ref: ldap://DomainDnsZones.myDomain.com/DC=DomainDnsZones,DC=myDomain, DC=com # search result search: 2
result: 0 Success
# numResponses: 2 # numReferences: 1 [ ... SNIP ... ] The only other thing I can think of is that the user that I'm binding to AD with to read information doesn't have the right permissions? But I would also think that the bind wouldn't be successful in the first place for the module if that were the case? I don't know what direction to take this in next to get more information. I would check the logs but since I'm running the server in debug mode the logs would just be duplicates of what I already have, correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Never mind. Saw your ldapsearch return 0 success. I would concentrate on ldap query to right OU, permissions (read permission is enough), etc.
# search result search: 2
result: 0 Success
Yu -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+ywang10=fsu.edu@lists.freeradius.org] On Behalf Of Scott Pickles via Freeradius-Users Sent: Tuesday, July 28, 2015 12:25 PM To: FreeRadius Users Mailing List Subject: LDAP Query: Not Found How can I further troubleshoot what might be the cause for my query against LDAP to return no results? I have verified the following from debugging and testing: [ ... SNIP ... ] # Loaded module rlm_ldap # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "dc01.myDomain.com" port = 3268 password = <<< secret >>> identity = "CN=Free RADIUS,CN=Users,DC=myDomain,DC=com" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "DC=myDomain,DC=com" access_positive = yes } group { filter = "(objectClass=posixGroup)" scope = "sub" base_dn = "DC=myDomain,DC=com" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "DC=myDomain,DC=com" attribute { identifier = "radiusClientIdentifier" shortname = "cn" secret = "radiusClientSecret" } } profile { filter = "(&)" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1 rlm_ldap: libldap vendor: OpenLDAP version: 20439 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to dc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful } # modules [ ... SNIP ... ] So it appears to be binding to LDAP ok. I am binding on port 3268 to reference the global catalog and search sub-domains. [ ... SNIP ... ] Ready to process requests Received Access-Request Id 32 from 172.18.1.2:1025 to 172.18.2.100:1812 length 66 User-Name = 'spickles' User-Password = '****' NAS-IP-Address = 172.18.1.2 NAS-Port = 32 NAS-Port-Type = Virtual (1) Received Access-Request packet from host 172.18.1.2 port 1025, id=32, length=66 (1) User-Name = 'spickles' (1) User-Password = '****' (1) NAS-IP-Address = 172.18.1.2 (1) NAS-Port = 32 (1) NAS-Port-Type = Virtual (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) rewrite_calling_station_id rewrite_calling_station_id { (1) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (1) ERROR: Failed retrieving values required to evaluate condition (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # rewrite_calling_station_id rewrite_calling_station_id = noop (1) eap : No EAP-Message, not doing EAP (1) [eap] = noop (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=spickles) (1) ldap : EXPAND DC=myDomain,DC=COM (1) ldap : --> DC=myDomain,DC=COM (1) ldap : Performing search in 'DC=myDomain,DC=COM' with filter '(uid=spickles)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Search returned no results rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): 0 of 1 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5) rlm_ldap (ldap): Connecting to rochdc01.myDomain.com:3268 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = notfound (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Login incorrect (Failed retrieving values required to evaluate condition): [spickles/****] (from client <<client_short_name>> port 32) (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> spickles (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (1) [eap] = noop (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (1) Sending delayed response (1) Sending Access-Reject packet to host 172.18.1.2 port 1025, id=32, length=0 Sending Access-Reject Id 32 from 172.18.2.100:1812 to 172.18.1.2:1025 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 32 with timestamp +189 Ready to process requests [ ... SNIP ... ] Not sure why it didn't find my user. My user is in the standard container (i.e. CN=Users) so I would think that sub would search there and find it? Perhaps that is my problem and either my base is incorrect or my scope is not correct? However, this seems to be correct according to the wiki (modules/Rlm_ldap). A final test with 'ldapsearch' yields similar results with no further information: [ ... SNIP ... ] []# ldapsearch -x -b "DC=myDomain,DC=com" -D "CN=Free RADIUS,CN=Users,DC=myDomain,DC=com" -h myDomain.com -w "<<password>>" "(&(CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com))" # extended LDIF # # LDAPv3 # base <DC=myDomain,DC=com> with scope subtree # filter: (&(CN=VPN-Internal,OU=VPN,OU=Groups,DC=myDomain,DC=com)) # requesting: ALL #
# search reference ref: ldap://DomainDnsZones.myDomain.com/DC=DomainDnsZones,DC=myDomain, DC=com # search result search: 2
result: 0 Success
# numResponses: 2 # numReferences: 1 [ ... SNIP ... ] The only other thing I can think of is that the user that I'm binding to AD with to read information doesn't have the right permissions? But I would also think that the bind wouldn't be successful in the first place for the module if that were the case? I don't know what direction to take this in next to get more information. I would check the logs but since I'm running the server in debug mode the logs would just be duplicates of what I already have, correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Scott Pickles -
Song Zou -
Wang, Yu