Problem with LDAP against Active Directory

Caines, Max Max.Caines at wlv.ac.uk
Mon Apr 3 15:42:56 CEST 2006


Hi Dominique

There appears to be something wrong with the search base definition for your LDAP search. It looks like you are using the "traditional" LDAP basename which goes "ou=mydepartment, o=mycompany, c=ch". Active Directory uses basenames that look like "dc=ad, dc=ch". Your LDAP server is returning "operations error", so I should look in its log file for more details.

By the way, bear in mind that unless you use Microsoft IAS, you can only do RADIUS authentication against AD using PAP (i.e. users send passwords in cleartext), which isn't too secure.

Max Caines

> -----Original Message-----
> From: 
> freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org
> [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk at lists.fr
> eeradius.o
> rg]On Behalf Of domjullier at rhone.ch
> Sent: 03 April 2006 10:27
> To: freeradius-users at lists.freeradius.org
> Subject: Problem with LDAP against Active Directory
> 
> 
> Hi folks,
> I want authenticate users from a WLAN with freeradius. The
> Users are stored in the Active Directory of a Windows 2003
> Server.
> 
> With some Tutorials from the Internet I have configured
> freeradius to make that.
> 
> Unfortunately the Authentication function not succesfully.
> 
> Thats the output from FreeRadius during the Authentication:
> 
> rad_recv: Access-Request packet from host
> 192.168.210.15:4596, id=13, length=100
>         NAS-Port-Type = Ethernet
>         Service-Type = Login-User
>         User-Name = "ldap"
>         User-Password = "ldap"
>         Called-Station-Id = "00:01:02:ad:64:f7"
>         Calling-Station-Id = "00:c0:49:54:b5:43"
>         NAS-Port = 1
> Mon Apr  3 11:12:08 2006 : Debug:   Processing the
> authorize section of radiusd.conf
> Mon Apr  3 11:12:08 2006 : Debug: modcall: entering group
> authorize for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> calling preprocess (rlm_preprocess) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> returned from preprocess (rlm_preprocess) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modcall[authorize]:
> module "preprocess" returns ok for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> calling chap (rlm_chap) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> returned from chap (rlm_chap) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modcall[authorize]:
> module "chap" returns noop for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> calling mschap (rlm_mschap) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> returned from mschap (rlm_mschap) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modcall[authorize]:
> module "mschap" returns noop for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> calling suffix (rlm_realm) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:     rlm_realm: No '@' in
> User-Name = "ldap", looking up realm NULL
> Mon Apr  3 11:12:08 2006 : Debug:     rlm_realm: No such
> realm "NULL"
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> returned from suffix (rlm_realm) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modcall[authorize]:
> module "suffix" returns noop for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> calling eap (rlm_eap) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   rlm_eap: No
> EAP-Message, not doing EAP
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> returned from eap (rlm_eap) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modcall[authorize]:
> module "eap" returns noop for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> calling files (rlm_files) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> returned from files (rlm_files) for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modcall[authorize]:
> module "files" returns notfound for request 2
> Mon Apr  3 11:12:08 2006 : Debug:   modsingle[authorize]:
> calling ldap (rlm_ldap) for request 2
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: - authorize
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: performing user
> authorization for ldap
> Mon Apr  3 11:12:08 2006 : Debug: radius_xlat:
>  '(uid=ldap)'
> Mon Apr  3 11:12:08 2006 : Debug: radius_xlat:  'ou=Sion,
> o=ad.ch'
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn:
> Checking Id: 0
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn:
> Got Id: 0
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP
> reconnection
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: closing
> existing LDAP connection
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to
> ad.ch:389, authentication 0
> Mon Apr  3 11:12:08 2006 : Debug: rlm_ldap: bind as / to
> ad.ch:389
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: waiting for
> bind result ...
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: Bind was
> successful
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: performing
> search in ou=Sion, o=ad.ch, with filter (uid=ldap)
> Mon Apr  3 11:12:18 2006 : Error: rlm_ldap: ldap_search()
> failed: Operations error
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: search failed
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap:
> ldap_release_conn: Release Id: 0
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> returned from ldap (rlm_ldap) for request 2
> Mon Apr  3 11:12:18 2006 : Debug:   modcall[authorize]:
> module "ldap" returns fail for request 2
> Mon Apr  3 11:12:18 2006 : Debug: modcall: group authorize
> returns fail for request 2
> Mon Apr  3 11:12:18 2006 : Debug: Finished request 2
> Mon Apr  3 11:12:18 2006 : Debug: Going to the next request
> Mon Apr  3 11:12:18 2006 : Debug: --- Walking the entire
> request list ---
> Mon Apr  3 11:12:18 2006 : Debug: Waking up in 6 seconds...
> rad_recv: Access-Request packet from host
> 192.168.210.15:4596, id=13, length=100
> Mon Apr  3 11:12:18 2006 : Debug: Discarding duplicate
> request from client testnet:4596 - ID: 13
> Mon Apr  3 11:12:18 2006 : Debug: --- Walking the entire
> request list ---
> Mon Apr  3 11:12:18 2006 : Debug: Cleaning up request 2 ID
> 13 with timestamp 4430e6e8
> Mon Apr  3 11:12:18 2006 : Debug: Nothing to do.  Sleeping
> until we see a request.
> rad_recv: Access-Request packet from host
> 192.168.210.15:4596, id=13, length=100
>         NAS-Port-Type = Ethernet
>         Service-Type = Login-User
>         User-Name = "ldap"
>         User-Password = "ldap"
>         Called-Station-Id = "00:01:02:ad:64:f7"
>         Calling-Station-Id = "00:c0:49:54:b5:43"
>         NAS-Port = 1
> Mon Apr  3 11:12:18 2006 : Debug:   Processing the
> authorize section of radiusd.conf
> Mon Apr  3 11:12:18 2006 : Debug: modcall: entering group
> authorize for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> calling preprocess (rlm_preprocess) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> returned from preprocess (rlm_preprocess) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modcall[authorize]:
> module "preprocess" returns ok for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> calling chap (rlm_chap) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> returned from chap (rlm_chap) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modcall[authorize]:
> module "chap" returns noop for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> calling mschap (rlm_mschap) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> returned from mschap (rlm_mschap) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modcall[authorize]:
> module "mschap" returns noop for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> calling suffix (rlm_realm) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:     rlm_realm: No '@' in
> User-Name = "ldap", looking up realm NULL
> Mon Apr  3 11:12:18 2006 : Debug:     rlm_realm: No such
> realm "NULL"
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> returned from suffix (rlm_realm) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modcall[authorize]:
> module "suffix" returns noop for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> calling eap (rlm_eap) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   rlm_eap: No
> EAP-Message, not doing EAP
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> returned from eap (rlm_eap) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modcall[authorize]:
> module "eap" returns noop for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> calling files (rlm_files) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> returned from files (rlm_files) for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modcall[authorize]:
> module "files" returns notfound for request 3
> Mon Apr  3 11:12:18 2006 : Debug:   modsingle[authorize]:
> calling ldap (rlm_ldap) for request 3
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: - authorize
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: performing user
> authorization for ldap
> Mon Apr  3 11:12:18 2006 : Debug: radius_xlat:
>  '(uid=ldap)'
> Mon Apr  3 11:12:18 2006 : Debug: radius_xlat:  'ou=Sion,
> o=ad.ch'
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: ldap_get_conn:
> Checking Id: 0
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: ldap_get_conn:
> Got Id: 0
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: attempting LDAP
> reconnection
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: closing
> existing LDAP connection
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: (re)connect to
> ad.ch:389, authentication 0
> Mon Apr  3 11:12:18 2006 : Debug: rlm_ldap: bind as / to
> ad.ch:389
> Mon Apr  3 11:12:28 2006 : Debug: rlm_ldap: waiting for
> bind result ...
> Mon Apr  3 11:12:28 2006 : Debug: rlm_ldap: Bind was
> successful
> Mon Apr  3 11:12:28 2006 : Debug: rlm_ldap: performing
> search in ou=Sion, o=ad.ch, with filter (uid=ldap)
> Mon Apr  3 11:12:28 2006 : Error: rlm_ldap: ldap_search()
> failed: Operations error
> Mon Apr  3 11:12:28 2006 : Debug: rlm_ldap: search failed
> Mon Apr  3 11:12:28 2006 : Debug: rlm_ldap:
> ldap_release_conn: Release Id: 0
> Mon Apr  3 11:12:28 2006 : Debug:   modsingle[authorize]:
> returned from ldap (rlm_ldap) for request 3
> Mon Apr  3 11:12:28 2006 : Debug:   modcall[authorize]:
> module "ldap" returns fail for request 3
> Mon Apr  3 11:12:28 2006 : Debug: modcall: group authorize
> returns fail for request 3
> Mon Apr  3 11:12:28 2006 : Debug: Finished request 3
> Mon Apr  3 11:12:28 2006 : Debug: Going to the next request
> Mon Apr  3 11:12:28 2006 : Debug: --- Walking the entire
> request list ---
> Mon Apr  3 11:12:28 2006 : Debug: Waking up in 6 seconds...
> Mon Apr  3 11:12:34 2006 : Debug: --- Walking the entire
> request list ---
> Mon Apr  3 11:12:34 2006 : Debug: Cleaning up request 3 ID
> 13 with timestamp 4430e6f2
> Mon Apr  3 11:12:34 2006 : Debug: Nothing to do.  Sleeping
> until we see a request.
> 
> Where can I fix the misstake which produce this error?
> 
> greets
> 
> dominique
> 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list