AD ldap bind works with 1.01, fails with 1.04

Stephen Walsh S.Walsh at signadou.acu.edu.au
Tue Jan 24 06:28:20 CET 2006 




Hi Folks

We're implementing freeradius with EAP/TLS for our wireless and have found
a strange happening with 1.04. This will only happen when attempting to
query our student domain (w2k3 AD tree), but not our staff (w2k3 AD tree).
If I remove the section (below) for student, it will authenticate staff and
log them on happily.

At the moment, we have

            acu.edu.au
                   |
                 /   \
            staff     student

I have a test box with FC3/FreeRadius 1.01 which will search through both
domains and authenticate the user. I copy the config over to the
FC4/FreeRadius 1.04 box and it works on staff, but returns the following on
student (the tree is laid out the same as staff);

ldap_search() failed: Operations error

Is this a bug (known or unknown) or have I just not allowed something like
referrals to work. I don't want to have to put openldap on the radius box
if I can help it, but if that's the only solution then we'll reassess 1.01
on FC3

Config is as below (some sanitisation done to protect the innocent networks
involved).

        ldap student {

                server = "192.148.xxx.xxx"
                identity =
"cn=xxxxxxxxx,cn=users,dc=student,dc=acu,dc=edu,dc=au"
                password = "xxxxxxxxx"
                basedn = "dc=student,dc=acu,dc=edu,dc=au"
                filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

        }

       ldap staff {

                server = "192.148.xxx.xxx"
                identity =
"cn=xxxxxx,cn=users,dc=staff,dc=acu,dc=edu,dc=au"
                password = "xxxxxx"
                basedn = "dc=staff,dc=acu,dc=edu,dc=au"
                filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

        }

<snip>

authorize {
                suffix
                eap
                staff
                student
                }

authenticate {
        Auth-Type PAP {
                pap
                }
        Auth-Type LDAP {
                student
                staff
                }
        eap
        }

many thanks

Stephen Walsh
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+++++++++++++++++++++++++++++++++++++++++++++++++
CRICOS Registration: 00004G, 00112C, 00873F, 00885B
ABN 15 050 192 660

+++++++++++++++++++++++++++++++++++++++++++++++++

More information about the Freeradius-Users mailing list