rlm_ldap filter problem

Norbert Wegener nw at sbs.de
Mon Dec 5 13:39:15 CET 2005


When I set my vars to the values below, ldapsearch succeeds:
server="TDE002.mydomain.NET"^M
identity="testrad at TDE002.mydomain.NET"^M
password="!QAY2wsx3edc4"^M
basedn="dc=TDE002,dc=mydomain,dc=NET"^M
filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID "^M
^M
#ldapsearch -LLL  -b "DC=TDE002,dc=mydomain,dc=NET" -s sub $FILTER -x 
$LOGON ^M
ldapsearch -LLL -h $server  -b "$basedn" -s sub $filter -x -D $identity 
-w $password ^M
lnxad:/usr/local/etc/raddb # sh x^M
dn: 
CN=26TEF001,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=mydomain,DC=net^M
primaryGroupID: 515^M
servicePrincipalName: HOST/26TEF001^M
servicePrincipalName: HOST/26tef001.tde002.mydomain.net^M
^M
# 
refldap://DomainDnsZones.tde002.mydomain.net/DC=DomainDnsZones,DC=tde002,DC=s^M
 itest,DC=net^M

Having the same variables with the same values set on the same machine 
in radiusd.conf:

        ldap ldap1 {
                server = "tde002.mydomain.net"
                identity = "testrad at TDE002.SITEST.NET"
                password = "!QAY2wsx3edc4"
                basedn = "dc=TDE002,dc=SITEST,dc=NET"

filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID"
                ldap_debug=0xFFFF

                base_filter = "(objectclass=computer)"
                ldap_connections_number = 5
                timeout = 40
                timelimit = 30
                net_timeout = 10
                tls {
                        start_tls = no
                }
                dictionary_mapping = ${raddbdir}/ldap.attrmap
        }
radiusd fails to get the values from the ldap server, claiming "Bad 
search filter":
.....
rlm_ldap: performing user authorization for 
host/26tef001.tde002.mydomain.net
radius_xlat:  
'(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID'
radius_xlat:  'dc=TDE002,dc=MYDOMAIN,dc=NET'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=TDE002,dc=MYDOMAIN,dc=NET, with filter 
(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID
ldap_search
put_filter: 
"(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID"
put_filter: AND
put_filter_list 
"(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: "(servicePrincipalName=host/26tef001.tde002.mydomain.net)"
put_filter: simple
put_simple_filter: "servicePrincipalName=host/26tef001.tde002.mydomain.net"
put_filter: "(objectclass=computer)"
put_filter: simple
put_simple_filter: "objectclass=computer"
put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: NOT
put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: simple
put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
put_filter: default
put_simple_filter: "servicePrincipalName primaryGroupID"
rlm_ldap: ldap_search() failed: Bad search filter: 
(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID
ldap_msgfree
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap1" returns fail for request 2
modcall: leaving group authorize (returns fail) for request 2
There was no response configured: rejecting request 2
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 206 with timestamp 43942d52
Sending Access-Reject of id 207 to 222.25.36.124 port 1645

What did I forget to obey?
Thanks
Norbert Wegener









More information about the Freeradius-Users mailing list