rlm_ldap filter problem

Brian A. Seklecki lavalamp at spiritual-machines.org
Wed Dec 21 21:26:21 CET 2005 

Try to escape the "/" with "\".  I doubt it...but...you've got some 
non-standard characters in there.

~BAS

On Mon, 5 Dec 2005, Norbert Wegener wrote:

> When I set my vars to the values below, ldapsearch succeeds:
> server="TDE002.mydomain.NET"^M
> identity="testrad at TDE002.mydomain.NET"^M
> password="!QAY2wsx3edc4"^M
> basedn="dc=TDE002,dc=mydomain,dc=NET"^M
> filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
> servicePrincipalName primaryGroupID "^M
> ^M
> #ldapsearch -LLL  -b "DC=TDE002,dc=mydomain,dc=NET" -s sub $FILTER -x $LOGON 
> ^M
> ldapsearch -LLL -h $server  -b "$basedn" -s sub $filter -x -D $identity -w 
> $password ^M
> lnxad:/usr/local/etc/raddb # sh x^M
> dn: 
> CN=26TEF001,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=mydomain,DC=net^M
> primaryGroupID: 515^M
> servicePrincipalName: HOST/26TEF001^M
> servicePrincipalName: HOST/26tef001.tde002.mydomain.net^M
> ^M
> # 
> refldap://DomainDnsZones.tde002.mydomain.net/DC=DomainDnsZones,DC=tde002,DC=s^M
> itest,DC=net^M
>
> Having the same variables with the same values set on the same machine in 
> radiusd.conf:
>
>       ldap ldap1 {
>               server = "tde002.mydomain.net"
>               identity = "testrad at TDE002.SITEST.NET"
>               password = "!QAY2wsx3edc4"
>               basedn = "dc=TDE002,dc=SITEST,dc=NET"
>
> 
filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
> servicePrincipalName primaryGroupID"
>               ldap_debug=0xFFFF
>
>               base_filter = "(objectclass=computer)"
>               ldap_connections_number = 5
>               timeout = 40
>               timelimit = 30
>               net_timeout = 10
>               tls {
>                       start_tls = no
>               }
>               dictionary_mapping = ${raddbdir}/ldap.attrmap
>       }
> radiusd fails to get the values from the ldap server, claiming "Bad search 
> filter":
> .....
> rlm_ldap: performing user authorization for host/26tef001.tde002.mydomain.net
> radius_xlat: 
> '(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
> servicePrincipalName primaryGroupID'
> radius_xlat:  'dc=TDE002,dc=MYDOMAIN,dc=NET'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=TDE002,dc=MYDOMAIN,dc=NET, with filter 
> (&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
> servicePrincipalName primaryGroupID
> ldap_search
> put_filter: 
> "(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
> servicePrincipalName primaryGroupID"
> put_filter: AND
> put_filter_list 
> "(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
> put_filter: "(servicePrincipalName=host/26tef001.tde002.mydomain.net)"
> put_filter: simple
> put_simple_filter: "servicePrincipalName=host/26tef001.tde002.mydomain.net"
> put_filter: "(objectclass=computer)"
> put_filter: simple
> put_simple_filter: "objectclass=computer"
> put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
> put_filter: NOT
> put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
> put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
> put_filter: simple
> put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
> put_filter: default
> put_simple_filter: "servicePrincipalName primaryGroupID"
> rlm_ldap: ldap_search() failed: Bad search filter: 
> (&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
> servicePrincipalName primaryGroupID
> ldap_msgfree
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap1" returns fail for request 2
> modcall: leaving group authorize (returns fail) for request 2
> There was no response configured: rejecting request 2
> Delaying request 2 for 1 seconds
> Finished request 2
> Going to the next request
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 206 with timestamp 43942d52
> Sending Access-Reject of id 207 to 222.25.36.124 port 1645
>
> What did I forget to obey?
> Thanks
> Norbert Wegener
>
>
>
>
>
>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

More information about the Freeradius-Users mailing list