Correction to: AD ldap search works with 1.01, fails with 1.04
Stephen Walsh
S.Walsh at signadou.acu.edu.au
Tue Jan 24 06:33:02 CET 2006
Hi Folks
Correction to previous email:
We can bind to the server, when the time comes to search it fails;
radiusd -X -A
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to 192.148.xxx.xxx:389, authentication 0
rlm_ldap: bind as
cn=xxxxxxxx,cn=users,dc=student,dc=acu,dc=edu,dc=au/xxxxxxxx to
192.148.223.125:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=student,dc=acu,dc=edu,dc=au, with filter
(samaccountname=testuser)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
Stephen Walsh
s.walsh at signadou.acu.edu.au
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+++++++++++++++++++++++++++++++++++++++++++++++++
CRICOS Registration: 00004G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+++++++++++++++++++++++++++++++++++++++++++++++++
Stephen Walsh
<S.Walsh at signadou
.acu.edu.au> To
Sent by: freeradius-users at lists.freeradius.o
freeradius-users- rg
bounces+s.walsh=s cc
ignadou.acu.edu.a
u at lists.freeradiu Subject
s.org AD ldap bind works with 1.01, fails
with 1.04
24/01/2006 04:28
PM
Please respond to
FreeRadius users
mailing list
<freeradius-users
@lists.freeradius
.org>
Hi Folks
We're implementing freeradius with EAP/TLS for our wireless and have found
a strange happening with 1.04. This will only happen when attempting to
query our student domain (w2k3 AD tree), but not our staff (w2k3 AD tree).
If I remove the section (below) for student, it will authenticate staff and
log them on happily.
At the moment, we have
acu.edu.au
|
/ \
staff student
I have a test box with FC3/FreeRadius 1.01 which will search through both
domains and authenticate the user. I copy the config over to the
FC4/FreeRadius 1.04 box and it works on staff, but returns the following on
student (the tree is laid out the same as staff);
ldap_search() failed: Operations error
Is this a bug (known or unknown) or have I just not allowed something like
referrals to work. I don't want to have to put openldap on the radius box
if I can help it, but if that's the only solution then we'll reassess 1.01
on FC3
Config is as below (some sanitisation done to protect the innocent networks
involved).
ldap student {
server = "192.148.xxx.xxx"
identity =
"cn=xxxxxxxxx,cn=users,dc=student,dc=acu,dc=edu,dc=au"
password = "xxxxxxxxx"
basedn = "dc=student,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
ldap staff {
server = "192.148.xxx.xxx"
identity =
"cn=xxxxxx,cn=users,dc=staff,dc=acu,dc=edu,dc=au"
password = "xxxxxx"
basedn = "dc=staff,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
<snip>
authorize {
suffix
eap
staff
student
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
student
staff
}
eap
}
many thanks
Stephen Walsh
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+++++++++++++++++++++++++++++++++++++++++++++++++
CRICOS Registration: 00004G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+++++++++++++++++++++++++++++++++++++++++++++++++
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list