FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]

Jacob Jarick mem.namefix at gmail.com
Fri Apr 27 04:04:16 CEST 2007 

OK, some more progress, found 1 setting that rejected any user if they
did not have dialup access attribute which I have commented. Now I get
the following results when using the radping program.

It looks to me like it searchs fine "rlm_ldap: user jacob authorized
to use remote access" but Im guessing because there is no password
feild it returns 0 and moves on. I am about to install Unix Services
for Windows and inspect the new feilds (if any).

If any1 knows what is involved in populating the ADS 2003 LDAP feilds
with user password/ hashes please let me know.

rad_recv: Access-Request packet from host 10.1.1.11:3470, id=8, length=45
        User-Name = "jacob"
        User-Password = "\330\3338\220\201\273J\246fU\270\354xC{\212"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jacob
radius_xlat:  '(sAMAccountName=jacob)'
radius_xlat:  'dc=tfxschool,dc=internal'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:3268, authentication 0
rlm_ldap: bind as / to tfxschoolfs01.tfxschool.internal:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=tfxschool,dc=internal, with filter
(sAMAccountName=jacob)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jacob authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "jacob", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0


On 4/27/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> Thank you for the suggestions / tips Frank..
>
> Here is the results from the command you gave me:
> [root at localhost ~]# ldapsearch -x -h 10.1.1.11 -D
> "CN=admin,OU=People,DC=tfxschool,DC=internal" -w pass -b
> "o=tfxschool,c=AU" 'objectclass=*'
>
> # extended LDIF
> #
> # LDAPv3
> # base <o=tfxschool,c=AU> with scope subtree
> # filter: objectclass=*
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 1 Operations error
> text: 000020D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0
>
> # numResponses: 1
>
> ----------------------------------------
>
> Im about to install unix services for windows on my 2003 server and
> run my search command again to see if it populates the fields in ldap
> some more (reccomended from the gentoo wiki's " HOWTO Authenticate
> from Active Directory using OpenLDAP).
>
> Also, it seems to me that freeradius is anonymously binding even
> though I have set these 2 lines under "ldap {"
>                 identity = "cn=admin,o=tfxschool,c=AU"
>                 password = pass
>
> here is the entry for admin which I retrieved using this command:
> ldapsearch -h 10.1.1.11 -x -b "dc=tfxschool,dc=internal" -x -LLL -s
> sub 'objectclass=*'
>
> dn: CN=admin,OU=People,DC=tfxschool,DC=internal
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: admin
> title: tfxschool
> givenName: admin
> distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal
> instanceType: 4
> whenCreated: 20070426003712.0Z
> whenChanged: 20070426014259.0Z
> displayName: admin
> uSNCreated: 82400
> uSNChanged: 82415
> department: tfxschool
> company: tfxschool
> name: admin
> objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 128220214326562500
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAKyI9FO9VW1CmlC13bwQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: admin
> sAMAccountType: 805306368
> userPrincipalName: admin at tfxschool.internal
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal
>
>
> Thanks in adavance, I appreciate the info very much.
>
> On 4/26/07, Ranner, Frank MR <Frank.Ranner at defence.gov.au> wrote:
> > Are you sure that the uid attribute is even in Active Directory. Chances
> > are the usernames
> > are in the sAMAccountName attribute. Since you now seem to be able to
> > bind, why not use the
> > ldapsearch utility to show entries in the o=tfxschool,c=AU subtree.
> >
> >   ldapsearch -x -h <hostname> -D  "cn=admin,o=tfxschool,c=AU" -w pass -b
> > "o=tfxschool,c=AU" 'objectclass=*'
> >
> > This will show you what attributes there are, and whether the password
> > is readable.
> >
> > Regards,
> > Frank Ranner
> >
> > > -----Original Message-----
> > > From:
> > > freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
> > eradius.org [mailto:freeradius-users->
> > bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On
> > > Behalf Of Jacob Jarick
> > > Sent: Thursday, 26 April 2007 12:38
> > > To: FreeRadius users mailing list
> > > Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed:
> > > Operations error
> > >
> > > radiusd.conf:
> > > radiusd -X -f: http://pastebin.ca/458790
> > >
> > > Hello again,
> > > I have configured the ldap module according to the rlm_ldap
> > > wiki (minus TLS, just trying one thing at a time).I have supplied:
> > > identity = "cn=admin,o=tfxschool,c=AU"
> > > password = pass
> > >
> > > As I have been told anonymous binding is not the way to go
> > > for confirming username/password.
> > >
> > > >From reading the error log it seems to me that freeradius does
> > > succesfully connect to the ADS server via ldap but fails to
> > > find the user.
> > >
> > > output in question:
> > >
> > > rlm_ldap: - authorize
> > > rlm_ldap: performing user authorization for jacob
> > > radius_xlat:  '(uid=jacob)'
> > > radius_xlat:  'o=tfxschool,c=AU'
> > > rlm_ldap: ldap_get_conn: Checking Id: 0
> > > rlm_ldap: ldap_get_conn: Got Id: 0
> > > rlm_ldap: attempting LDAP reconnection
> > > rlm_ldap: (re)connect to
> > > tfxschoolfs01.tfxschool.internal:389, authentication 0
> > > rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389
> > > rlm_ldap: waiting for bind result ...
> > > request done: ld 0x8697ed0 msgid 1
> > > rlm_ldap: Bind was successful
> > > rlm_ldap: performing search in o=tfxschool,c=AU, with filter
> > > (uid=jacob) request done: ld 0x8697ed0 msgid 2
> > > rlm_ldap: ldap_search() failed: Operations error
> > > rlm_ldap: search failed
> > > rlm_ldap: ldap_release_conn: Release Id: 0
> > > modcall[authorize]: module "ldap" returns fail for request 0
> > > modcall: leaving group authorize (returns fail) for request 0
> > > Finished request 0 .
> > > The user Jacob auth's fine via the ntlm_auth module but fails
> > > with my current ldap setup.
> > > Does the user admin need special priveleges on the Windows
> > > 2003 ADS to search / retrieve user information (eg password,
> > > group etc).
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>

More information about the Freeradius-Users mailing list