LDAP and "Ambiguous search result"
a.cudbardb at freeradius.org
Wed Nov 9 16:14:00 CET 2016
> On Nov 9, 2016, at 3:23 AM, Peter Lambrechtsen <peter at crypt.nz> wrote:
> Hi Folks
> I have an interesting question in regards to how best to handle the
> "Ambiguous search result" use case.
> If I have a search and returns two entries I get the error:
> (1) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries
> (should return 1 or 0). Enable sorting, or specify a more restrictive
> base_dn, filter or scope
> (1) ldap: ERROR: The following entries were returned:
> Which is obvious, but the module returns fail.
> In previous versions the return code was invalid.
Oh, that's weird. I've switched it back to invalid.
> But the second time once all the threads have been closed I get no failure
> rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
> rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
> rlm_ldap (ldap): Connecting to ldap://127.0.0.1:389
> rlm_ldap (ldap): Bind with cn=FreeRadius,o=Identities to ldap://
> 127.0.0.1:389 failed: Can't contact LDAP server
> rlm_ldap (ldap): Opening connection failed (5)
> But there isn't anything in the Module fail message to indicate what the
> root cause is.
Because libldap doesn't provide any more info... I'd run tcpdump and see what's actually happening there.
> Thoughts and suggestions on if the Ambiguous should be an invalid or fail.
Should be invalid.
Module-Failure-Message attributes don't get overwritten, multiple instances get added to build an OpenSSL like error stack.
You can loop over them with foreach.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Freeradius-Devel