AD ldap bind works with 1.01, fails with 1.04
Stephen Walsh
S.Walsh at signadou.acu.edu.au
Wed Jan 25 00:02:00 CET 2006
Alan;
I've tested it further and you are right, the search isn't recursively
entering the tree. What in the search changed between 1.01 (which works)
and 1.04 (which returns errors when trying to enter the OU's)? If is
possible to revert to the 1.01 search under 1.04?
many thanks
Stephen Walsh
s.walsh at signadou.acu.edu.au
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+++++++++++++++++++++++++++++++++++++++++++++++++
CRICOS Registration: 00004G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+++++++++++++++++++++++++++++++++++++++++++++++++
"Alan DeKok"
<aland at ox.org>
Sent by: To
freeradius-users- FreeRadius users mailing list
bounces+s.walsh=s <freeradius-users at lists.freeradius.
ignadou.acu.edu.a org>
u at lists.freeradiu cc
s.org
Subject
Re: AD ldap bind works with 1.01,
25/01/2006 04:16 fails with 1.04
AM
Please respond to
FreeRadius users
mailing list
<freeradius-users
@lists.freeradius
.org>
Stephen Walsh <S.Walsh at signadou.acu.edu.au> wrote:
> ldap_search() failed: Operations error
It's a combination of factors. What's happening is that your LDAP
search isn't fully qualified, so when something isn't found in
"students", AD returns a referral to "staff". OpenLDAP fails to use
the authentication credentials for the referral that it was given for
the original query.
And lo, "operations error", which is such a useful message.
It's a cross-domain referral problem. You have a "staff" domain,
and a "student" domain, each of which trusts each other in AD.
The solution is to fully qualify all of the queries so that AD
doesn't return a referral. Usually adding "ou=people" (or something
like that) will usually do the trick.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list