LDAP/AD and multiple OU's

Danner, Mearl jmdanner at samford.edu
Tue Sep 15 15:00:59 CEST 2009


Please send in plaintext not html. It's easier to put comments inline.

The default LDAP search in freeradius is sub (search all subcontainers from supplied root DN).

As to using UID:

You'll need to search sAMAccountName in AD to insure that the name is unique.

I don't believe that uid has guaranteed uniqueness. Evidently your implementation does not have unique uids.

http://msdn.microsoft.com/en-us/library/ms680508%28VS.85%29.aspx

Note that it's not single-valued. Whereas:

http://msdn.microsoft.com/en-us/library/ms679635%28VS.85%29.aspx sAMAccountName is. Also it's indexed. Search's will be faster.


From: freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of Justin Steward
Sent: Monday, September 14, 2009 7:51 PM
To: FreeRadius users mailing list
Subject: LDAP/AD and multiple OU's

Hi guys,

A couple of quick questions just to make sure I don't end up chasing my own tail.

Need to authenticate by doing a basic bind against an AD server. All users are contained in seperate OU's below a primary OU.

The relevant LDAP lines from radiusd -X are (with identifiable information removed):
rlm_ldap: bind as Cn=lookupuser,OU=Primary, ou=....../password123 to .....:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Primary,ou=....., with filter (uid=username)
rlm_ldap: object not found or got ambiguous search result

Now, I know the user is actually contained in ou=2015,ou=Primary,ou=..... and there are others contained in 2016,2017,2018, etc.

1) Does freeRadius automatically search each of these sub containers, or do I have to tell it to some how?

2) Does AD even store usernames in UID? (loln00b question. But i have no experienec with AD, so far I haven't had an AD box to play with, and this one is more or less out of my control, I can only talk to it over LDAP.)

Many Thanks,
Justin




More information about the Freeradius-Users mailing list