LDAP and "Ambiguous search result"

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Nov 9 16:14:00 CET 2016

> On Nov 9, 2016, at 3:23 AM, Peter Lambrechtsen <peter at crypt.nz> wrote:
> Hi Folks
> I have an interesting question in regards to how best to handle the
> "Ambiguous search result" use case.
> If I have a search and returns two entries I get the error:
> (1) ldap: ERROR: Ambiguous search result, returned 2 unsorted entries
> (should return 1 or 0).  Enable sorting, or specify a more restrictive
> base_dn, filter or scope
> (1) ldap: ERROR: The following entries were returned:
> Which is obvious, but the module returns fail.
> In previous versions the return code was invalid.

Oh, that's weird. I've switched it back to invalid.

> But the second time once all the threads have been closed I get no failure
> message
> rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://
> rlm_ldap (ldap): Bind with cn=FreeRadius,o=Identities to ldap://
> failed: Can't contact LDAP server
> rlm_ldap (ldap): Opening connection failed (5)
> But there isn't anything in the Module fail message to indicate what the
> root cause is.

Because libldap doesn't provide any more info... I'd run tcpdump and see what's actually happening there.

> Thoughts and suggestions on if the Ambiguous should be an invalid or fail.

Should be invalid.

Module-Failure-Message attributes don't get overwritten, multiple instances get added to build an OpenSSL like error stack.

You can loop over them with foreach.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20161109/88a3da89/attachment.sig>

More information about the Freeradius-Devel mailing list