FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]

Jacob Jarick mem.namefix at gmail.com
Fri Apr 27 02:50:59 CEST 2007 

Thank you for the suggestions / tips Frank..

Here is the results from the command you gave me:
[root at localhost ~]# ldapsearch -x -h 10.1.1.11 -D
"CN=admin,OU=People,DC=tfxschool,DC=internal" -w pass -b
"o=tfxschool,c=AU" 'objectclass=*'

# extended LDIF
#
# LDAPv3
# base <o=tfxschool,c=AU> with scope subtree
# filter: objectclass=*
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0

# numResponses: 1

----------------------------------------

Im about to install unix services for windows on my 2003 server and
run my search command again to see if it populates the fields in ldap
some more (reccomended from the gentoo wiki's " HOWTO Authenticate
from Active Directory using OpenLDAP).

Also, it seems to me that freeradius is anonymously binding even
though I have set these 2 lines under "ldap {"
                identity = "cn=admin,o=tfxschool,c=AU"
                password = pass

here is the entry for admin which I retrieved using this command:
ldapsearch -h 10.1.1.11 -x -b "dc=tfxschool,dc=internal" -x -LLL -s
sub 'objectclass=*'

dn: CN=admin,OU=People,DC=tfxschool,DC=internal
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: admin
title: tfxschool
givenName: admin
distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal
instanceType: 4
whenCreated: 20070426003712.0Z
whenChanged: 20070426014259.0Z
displayName: admin
uSNCreated: 82400
uSNChanged: 82415
department: tfxschool
company: tfxschool
name: admin
objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 128220214326562500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAKyI9FO9VW1CmlC13bwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: admin
sAMAccountType: 805306368
userPrincipalName: admin at tfxschool.internal
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal


Thanks in adavance, I appreciate the info very much.

On 4/26/07, Ranner, Frank MR <Frank.Ranner at defence.gov.au> wrote:
> Are you sure that the uid attribute is even in Active Directory. Chances
> are the usernames
> are in the sAMAccountName attribute. Since you now seem to be able to
> bind, why not use the
> ldapsearch utility to show entries in the o=tfxschool,c=AU subtree.
>
>   ldapsearch -x -h <hostname> -D  "cn=admin,o=tfxschool,c=AU" -w pass -b
> "o=tfxschool,c=AU" 'objectclass=*'
>
> This will show you what attributes there are, and whether the password
> is readable.
>
> Regards,
> Frank Ranner
>
> > -----Original Message-----
> > From:
> > freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
> eradius.org [mailto:freeradius-users->
> bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On
> > Behalf Of Jacob Jarick
> > Sent: Thursday, 26 April 2007 12:38
> > To: FreeRadius users mailing list
> > Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed:
> > Operations error
> >
> > radiusd.conf:
> > radiusd -X -f: http://pastebin.ca/458790
> >
> > Hello again,
> > I have configured the ldap module according to the rlm_ldap
> > wiki (minus TLS, just trying one thing at a time).I have supplied:
> > identity = "cn=admin,o=tfxschool,c=AU"
> > password = pass
> >
> > As I have been told anonymous binding is not the way to go
> > for confirming username/password.
> >
> > >From reading the error log it seems to me that freeradius does
> > succesfully connect to the ADS server via ldap but fails to
> > find the user.
> >
> > output in question:
> >
> > rlm_ldap: - authorize
> > rlm_ldap: performing user authorization for jacob
> > radius_xlat:  '(uid=jacob)'
> > radius_xlat:  'o=tfxschool,c=AU'
> > rlm_ldap: ldap_get_conn: Checking Id: 0
> > rlm_ldap: ldap_get_conn: Got Id: 0
> > rlm_ldap: attempting LDAP reconnection
> > rlm_ldap: (re)connect to
> > tfxschoolfs01.tfxschool.internal:389, authentication 0
> > rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389
> > rlm_ldap: waiting for bind result ...
> > request done: ld 0x8697ed0 msgid 1
> > rlm_ldap: Bind was successful
> > rlm_ldap: performing search in o=tfxschool,c=AU, with filter
> > (uid=jacob) request done: ld 0x8697ed0 msgid 2
> > rlm_ldap: ldap_search() failed: Operations error
> > rlm_ldap: search failed
> > rlm_ldap: ldap_release_conn: Release Id: 0
> > modcall[authorize]: module "ldap" returns fail for request 0
> > modcall: leaving group authorize (returns fail) for request 0
> > Finished request 0 .
> > The user Jacob auth's fine via the ntlm_auth module but fails
> > with my current ldap setup.
> > Does the user admin need special priveleges on the Windows
> > 2003 ADS to search / retrieve user information (eg password,
> > group etc).
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list