rlm_ldap: ldap_search() failed: Bad search filter:
I am still trying to let freeradius query AD, but not yet too successfull. Using the following vars with ldapsearch, gives me the desired result, as shown below, but fails with rlm_ldap. ########################################## server="mchm967a.tww006.sitest.net " port=3268 identity="testrad@TDE002.SITEST.NET " mypass="mypass" basedn="dc=TDE002,dc=SITEST,dc=NET" filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl" ######################################### ldapsearch -x -h $server -p $port -b $basedn $filter -D $identity -w $mypass -x # extended LDIF # # LDAPv3 # base <dc=TDE002,dc=SITEST,dc=NET> with scope sub # filter: (&(sAMAccountName=28TEF003$)(objectclass=computer)) # requesting: sAMAccountName userAccountControl # # 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net dn: CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sitest,DC=net userAccountControl: 4096 sAMAccountName: 28TEF003$ # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ################################################## So far, so good. When I take the same vars in radiusd.conf, I get: rlm_ldap: ldap_search() failed: Bad search filter radiusd.conf: ldap ldap1 { server="mchm967a.tww006.sitest.net " port=3268 identity="testrad@TDE002.SITEST.NET " mypass="mypass" basedn="dc=TDE002,dc=SITEST,dc=NET" filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl" ldap_debug= 0xFFFF ldap_connections_number = 5 timeout = 40 timelimit = 30 net_timeout = 10 tls { } dictionary_mapping = ${raddbdir}/ldap.attrmap } rlm_ldap: Bind was successful^M rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, with filter (&(sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_search^M put_filter: "(&(sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl"^M put_filter: AND^M put_filter_list "(sAMAccountName=28TEF003$)(objectclass=computer)"^M put_filter: "(sAMAccountName=28TEF003$)"^M put_filter: simple^M put_simple_filter: "sAMAccountName=28TEF003$"^M put_filter: "(objectclass=computer)"^M put_filter: simple^M put_simple_filter: "objectclass=computer"^M put_filter: default^M put_simple_filter: "sAMAccountName userAccountControl"^M rlm_ldap: ldap_search() failed: Bad search filter: (&(sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl^M ldap_msgfree^M rlm_ldap: search failed^M What am I doing wrong? Thanks Norbert Wegener
Norbert Wegener wrote:
When I take the same vars in radiusd.conf, I get: rlm_ldap: ldap_search() failed: Bad search filter radiusd.conf:
ldap ldap1 { server="mchm967a.tww006.sitest.net " port=3268 identity="testrad@TDE002.SITEST.NET " mypass="mypass" basedn="dc=TDE002,dc=SITEST,dc=NET" filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl"
I don't think you can append a list of attributes to the filter. (like in ldap_search) -- Nicolas Baradakis
Nicolas Baradakis wrote:
Norbert Wegener wrote:
When I take the same vars in radiusd.conf, I get: rlm_ldap: ldap_search() failed: Bad search filter radiusd.conf:
ldap ldap1 { server="mchm967a.tww006.sitest.net " port=3268 identity="testrad@TDE002.SITEST.NET " mypass="mypass" basedn="dc=TDE002,dc=SITEST,dc=NET" filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) sAMAccountName userAccountControl"
I don't think you can append a list of attributes to the filter. (like in ldap_search)
Thank you, that has obviously been a difference between ldapsearch and rlm_ldap. Now I get the information from AD also via radius. Nevertheless, there is another point: The server above is a global catalogue server. When asking the domain server directly, this again works with the following parameters using ldapsearch: server="tde002.sitest.net" port=389 identity="testrad@TDE002.SITEST.NET" passwd="mypasswd" #basedn = "dc=SITEST,dc=NET" basedn="dc=tde002,dc=SITEST,dc=NET" filter="(&(sAMAccountName=28tef003*)(objectclass=computer)) " The same parameters within radiusd.conf gives me: among other Bind was successful: ... rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tde002.sitest.net:389, authentication 0 rlm_ldap: bind as testrad@TDE002.SITEST.NET/ to tde002.sitest.net:389 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ... rlm_ldap: waiting for bind result ... ldap_result msgid 1 ...... ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select ldap_read: message type bind msgid 1, original id 1 ... ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree rlm_ldap: Bind was successful So far, so good, but later I get: ..... read1msg: V2 referral chased, mark request completed, id = 3^M new result: res_errno: 1, res_error: <00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece>, res_matched: <>^M read1msg: 0 new referrals^M read1msg: mark request completed, id = 3^M merged parent (id 2) error info: result errno 1, error <00000000: LdapErr: DSID-0C090627, comment: In order to perfo rm this operation a successful bind must be completed on the connection., data 0, vece>, matched <>^M request 2 done^M res_errno: 1, res_error: <00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece>, res_matched: <>^M .... The complete output is lengthy and therefore not part of this mail. It can be found at http://www.wegener-net.de/fr together with radiusd.conf. Any hint would be appreciated. Norbert Wegener
Norbert Wegener <nw@sbs.de> wrote:
So far, so good, but later I get: ..... read1msg: V2 referral chased, mark request completed, id = 3^M new result: res_errno: 1, res_error: <00000000: LdapErr: DSID-0C090627,
Ah, yes. There's a bug in bugzilla about using anonymous bind to chase referrals for AD. The patch there may help. Or, update your query so that the referral chasing doesn't happen between AD domains. i.e. qualify it more, like adding "ou=users", or something. Alan DeKok.
Alan DeKok wrote:
Norbert Wegener <nw@sbs.de> wrote:
So far, so good, but later I get: ..... read1msg: V2 referral chased, mark request completed, id = 3^M new result: res_errno: 1, res_error: <00000000: LdapErr: DSID-0C090627,
Ah, yes. There's a bug in bugzilla about using anonymous bind to chase referrals for AD. The patch there may help.
Thank you, but unfortunately the patch mentioned there ( http://users.ntua.gr/tmp.tmp/rlm_ldap.patch ) does not apply to the actual sources anymore :-(. Norbert Wegener
Or, update your query so that the referral chasing doesn't happen between AD domains. i.e. qualify it more, like adding "ou=users", or something.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Nicolas Baradakis -
Norbert Wegener