rlm_ldap and large AD structure issue
Capelle, Mark (PCMC-GB)
Mark.Capelle at pcmc.com
Mon Feb 25 20:56:53 CET 2008
I have been using FR since around the .4 release days, so they will have
to fight pretty hard to get me to dump it for ACS. :-)
I looked into this but unfortunately messing with the AD schema
attributes is usually frowned upon. Another FR user suggested I create
multiple LDAP statements each pointing to a lower OU in the tree that is
not so large. This seems like a logical idea except I can't seem to
make it work right in 2.0.0. I know I have done this in a previous FR
version, but I am stumped at this point. Here are the relevant portions
-
Radiusd.conf:
modules {
ldap a {
####### Active Directory LDAP Setup #######
server = *.*.*.1
#port = 3268
identity = "cn=***,ou=***,dc=***,dc=***"
password = *
basedn = "ou=a,dc=***,dc=***"
filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 10
timelimit = 10
net_timeout = 1
edir_account_policy_check = no
}
ldap b {
####### Active Directory LDAP Setup #######
server = *.*.*.1
#port = 3268
identity = "cn=***,ou=***,dc=***,dc=***"
password = *
basedn = "ou=b,dc=***,dc=***"
filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 10
timelimit = 10
net_timeout = 1
edir_account_policy_check = no
}
ldap c {
####### Active Directory LDAP Setup #######
server = *.*.*.1
#port = 3268
identity = "cn=***,ou=***,dc=***,dc=***"
password = *
basedn = "ou=c,dc=***,dc=***"
filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
timeout = 10
timelimit = 10
net_timeout = 1
edir_account_policy_check = no
}
Sites-available/default:
authorize {
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
#ldap
a
b
c
}
authenticate {
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
a
b
c
}
The debug from radiusd -X:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host *.*.*.* port 32856, id=154,
length=60
User-Name = "testuser"
User-Password = "testing"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_realm: No '\' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[ntdomain] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
expand: ou=a,dc=***,dc=*** -> ou=a,dc=***,dc=***
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to *.*.*.*:389, authentication 0
rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=a,dc=***,dc=***, with filter
(sAMAccountName=testuser)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[a] returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
expand: ou=b,dc=***,dc=*** -> ou=b,dc=***,dc=***
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to *.*.*.*:389, authentication 0
rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=b,dc=***,dc=***, with filter
(sAMAccountName=testuser)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[b] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)
expand: ou=c,dc=***,dc=*** -> ou=c,dc=***,dc=***
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to *.*.*.*:389, authentication 0
rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=c,dc=***,dc=***, with filter
(sAMAccountName=testuser)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[c] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [testuser/testing] (from
client PCMCRADIUS2 port 1)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 154 to *.*.*.* port 32856
Waking up in 4.9 seconds.
Cleaning up request 0 ID 154 with timestamp +9
Ready to process requests.
>Alan DeKok wrote:
>Capelle, Mark (PCMC-GB) wrote:
>> I have an issue since pointing FR to a point higher in my AD tree
>> (which will return more objects). I get the following error in my FR
>> logs when I try to authenticate a user:
>>
>> Fri Feb 22 10:37:14 2008 : Error: rlm_ldap: ldap_search() failed:
>> Operations error
> That's usually do to internal AD redirects, IIRC.
> See also doc/rlm_ldap, which talks about "operations error".
>> Has anyone else encountered this and found a solution? I am fighting
>> like hell to not install the corporate standard Cisco ACS box at my
>> site, but if I can?t manage to get this working I may have to finally
>> cave L.
> Ugh. Most sites I hear about are moving away from commercial
products to FreeRADIUS.
> Alan DeKok.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080225/92462bac/attachment.html>
More information about the Freeradius-Users
mailing list