FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error

Jacob Jarick mem.namefix at gmail.com
Thu Apr 26 04:37:35 CEST 2007


radiusd.conf:
radiusd -X -f: http://pastebin.ca/458790

Hello again,
I have configured the ldap module according to the rlm_ldap wiki
(minus TLS, just trying one thing at a time).I have supplied:
identity = "cn=admin,o=tfxschool,c=AU"
password = pass

As I have been told anonymous binding is not the way to go for
confirming username/password.

>From reading the error log it seems to me that freeradius does
succesfully connect to the ADS server via ldap but fails to find the
user.

output in question:

rlm_ldap: - authorize
rlm_ldap: performing user authorization for jacob
radius_xlat:  '(uid=jacob)'
radius_xlat:  'o=tfxschool,c=AU'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0
rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389
rlm_ldap: waiting for bind result ...
request done: ld 0x8697ed0 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob)
request done: ld 0x8697ed0 msgid 2
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 0
modcall: leaving group authorize (returns fail) for request 0
Finished request 0
.
The user Jacob auth's fine via the ntlm_auth module but fails with my
current ldap setup.
Does the user admin need special priveleges on the Windows 2003 ADS to
search / retrieve user information (eg password, group etc).



More information about the Freeradius-Users mailing list