Multiple (different) LDAP servers and authorisation
Alan DeKok
aland at deployingradius.com
Wed Aug 15 04:16:04 CEST 2007
Stewart James wrote:
> I have been roped in to look over an issue we have with migrating from
> Novell to AD.
Repeat after me: AD is not an LDAP server.
It's not. It fakes it pretty well, but it's not.
> As I stated earlier authentication fall through works like a treat (if
> in the users file I don’t specify an LDAP-Group authentication works).
> If I only specify 1 ldap server to do authentication and authorisation,
> everything works, its only when I try to do authorisation via LDAP-Group
> AND try to do authorisation fall through as documentation above do I
> start getting errors.
If you are trying to use LDAP to obtain the "known good" password from
AD, it's impossible.
> rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter
> (samaccountname=USERNAME)
..
> rlm_ldap: looking for check items in directory...
>
> rlm_ldap: looking for reply items in directory...
Nothing. i.e. The user was found, but *nothing* more than that was found.
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
The server doesn't know how to authenticate the user, so the user is
rejected.
Please explain a little more what you're trying to do, and what you
expect to see where. Right now, you're trying to debug a solution.
Instead, focus on the problem, and the solution may be simple (or
impossible).
Alan DeKok.
More information about the Freeradius-Users
mailing list