Ldap-UserDn character set problem?
John Hawkes-Reed
John.Hawkes-Reed at futurenet.com
Tue Oct 21 15:10:31 CEST 2008
Hello.
I'm attempting to bring up a FreeRadius-2.1.1 rig that auths against AD.
NTLM authentication seems to work well, but LDAP authorisation appears to
hit a problem when extracting the DN:
rlm_ldap: Entering ldap_groupcmp()
[files] expand: ou=staff,dc=uk,dc=mydomain,dc=com ->
ou=staff,dc=uk,dc=mydomain,dc=com
[files] expand: (sAMAccountName=%{mschap:User-Name}) ->
(sAMAccountName=jhreed)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=staff,dc=uk,dc=mydomain,dc=com, with
filter (sAMAccountName=jhreed)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=G
roupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))(&(
objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=vpn-users,ou=Security
Groups,ou=Groups,dc=uk,dc=mydomain,dc=com, with filter
(|(&(objectClass=GroupOfNames)(member=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))(&(
objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group cn=vpn-users,ou=Security
Groups,ou=Groups,dc=uk,dc=mydomain,dc=com not found or user is not a member.
Running ldapsearch against AD shows the following:
# vpn-users, Security Groups, Groups, uk.mydomain.com
dn: CN=vpn-users,OU=Security Groups,OU=Groups,DC=uk,DC=mydomain,DC=
com
objectClass: top
objectClass: group
cn: vpn-users
member: CN=John Hawkes-Reed,OU=IT,OU=Staff,DC=uk,DC=mydomain,DC=com
distinguishedName: CN=vpn-users,OU=Security
Groups,OU=Groups,DC=uk,DC=mydomain,DC=com
I can find a similar bug mentioned in the archives, but that appeared to be
an older version of the code.
Hopefully that's enough debug to enable someone to point me in the right
direction. (Other than 'Don't use AD then...')
--
John Hawkes-Reed
--
Future Publishing Limited (registered company number 2008885) is a wholly owned subsidiary of Future plc (registered company number 3757874), both of which are incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please reply to this email and then delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future.
The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email.
Future may regularly and randomly monitor outgoing and incoming emails and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring.
*****
Save resources: think before you print.
More information about the Freeradius-Users
mailing list