rlm_ldap and large AD structure issue

Capelle, Mark (PCMC-GB) Mark.Capelle at pcmc.com
Mon Feb 25 20:56:53 CET 2008


I have been using FR since around the .4 release days, so they will have
to fight pretty hard to get me to dump it for ACS. :-)

 

I looked into this but unfortunately messing with the AD schema
attributes is usually frowned upon.  Another FR user suggested I create
multiple LDAP statements each pointing to a lower OU in the tree that is
not so large.  This seems like a logical idea except I can't seem to
make it work right in 2.0.0.  I know I have done this in a previous FR
version, but I am stumped at this point.  Here are the relevant portions
-

 

Radiusd.conf:

 

modules {

        ldap a {

 

                ####### Active Directory LDAP Setup #######

                server = *.*.*.1

                #port = 3268

                identity = "cn=***,ou=***,dc=***,dc=***"

                password = *

                basedn = "ou=a,dc=***,dc=***"

                filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"

                start_tls = no

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 10

                timeout = 10

                timelimit = 10

                net_timeout = 1

                edir_account_policy_check = no

                }

 

        ldap b {

 

                ####### Active Directory LDAP Setup #######

                server = *.*.*.1

                #port = 3268

                identity = "cn=***,ou=***,dc=***,dc=***"

                password = *

                basedn = "ou=b,dc=***,dc=***"

                filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"

                start_tls = no

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 10

                timeout = 10

                timelimit = 10

                net_timeout = 1

                edir_account_policy_check = no

                }

 

 ldap c {

 

                ####### Active Directory LDAP Setup #######

                server = *.*.*.1

                #port = 3268

                identity = "cn=***,ou=***,dc=***,dc=***"

                password = *

                basedn = "ou=c,dc=***,dc=***"

                filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"

                start_tls = no

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 10

                timeout = 10

                timelimit = 10

                net_timeout = 1

                edir_account_policy_check = no

                }

 

 

Sites-available/default:

 

authorize {

        #  The ldap module will set Auth-Type to LDAP if it has not

        #  already been set

 

        #ldap

 

        a

        b

        c

}

 

authenticate {

        # Uncomment it if you want to use ldap for authentication

        #

        # Note that this means "check plain-text password against

        # the ldap database", which means that EAP won't work,

        # as it does not supply a plain-text password.

        Auth-Type LDAP {

                a

                b

                c

        }

 

The debug from radiusd -X:

 

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Ready to process requests.

rad_recv: Access-Request packet from host *.*.*.* port 32856, id=154,
length=60

        User-Name = "testuser"

        User-Password = "testing"

        NAS-IP-Address = 255.255.255.255

        NAS-Port = 1

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

    rlm_realm: No '\' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[ntdomain] returns noop

  rlm_eap: No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

++[files] returns noop

rlm_ldap: - authorize

rlm_ldap: performing user authorization for testuser

WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)

        expand: ou=a,dc=***,dc=*** -> ou=a,dc=***,dc=***

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to *.*.*.*:389, authentication 0

rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in ou=a,dc=***,dc=***, with filter
(sAMAccountName=testuser)

rlm_ldap: object not found or got ambiguous search result

rlm_ldap: search failed

rlm_ldap: ldap_release_conn: Release Id: 0

++[a] returns notfound

rlm_ldap: - authorize

rlm_ldap: performing user authorization for testuser

WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)

        expand: ou=b,dc=***,dc=*** -> ou=b,dc=***,dc=***

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to *.*.*.*:389, authentication 0

rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in ou=b,dc=***,dc=***, with filter
(sAMAccountName=testuser)

rlm_ldap: looking for check items in directory...

rlm_ldap: looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?

rlm_ldap: user testuser authorized to use remote access

rlm_ldap: ldap_release_conn: Release Id: 0

++[b] returns ok

rlm_ldap: - authorize

rlm_ldap: performing user authorization for testuser

WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

        expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=testuser)

        expand: ou=c,dc=***,dc=*** -> ou=c,dc=***,dc=***

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to *.*.*.*:389, authentication 0

rlm_ldap: bind as cn=***,ou=***,dc=***,dc=***/*** to *.*.*.*:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in ou=c,dc=***,dc=***, with filter
(sAMAccountName=testuser)

rlm_ldap: object not found or got ambiguous search result

rlm_ldap: search failed

rlm_ldap: ldap_release_conn: Release Id: 0

++[c] returns notfound

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.

++[pap] returns noop

auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user

auth: Failed to validate the user.

Login incorrect (rlm_ldap: User not found): [testuser/testing] (from
client PCMCRADIUS2 port 1)

  Found Post-Auth-Type Reject

+- entering group REJECT

        expand: %{User-Name} -> testuser

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds. 

Sending delayed reject for request 0

Sending Access-Reject of id 154 to *.*.*.* port 32856

Waking up in 4.9 seconds. 

Cleaning up request 0 ID 154 with timestamp +9

Ready to process requests.

 

 

>Alan DeKok wrote:

>Capelle, Mark (PCMC-GB) wrote:

>> I have an issue since pointing FR to a point higher in my AD tree 

>> (which will return more objects).  I get the following error in my FR


>> logs when I try to authenticate a user:

>> 

>> Fri Feb 22 10:37:14 2008 : Error: rlm_ldap: ldap_search() failed:

>> Operations error

 

>  That's usually do to internal AD redirects, IIRC.

 

>  See also doc/rlm_ldap, which talks about "operations error".

 

>> Has anyone else encountered this and found a solution?  I am fighting


>> like hell to not install the corporate standard Cisco ACS box at my 

>> site, but if I can?t manage to get this working I may have to finally


>> cave L.

 

>  Ugh.  Most sites I hear about are moving away from commercial
products to FreeRADIUS.

 

>  Alan DeKok.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080225/92462bac/attachment.html>


More information about the Freeradius-Users mailing list