Returning attributes based on group membership using NTLM_AUTH
Alexander Clouter
alex at digriz.org.uk
Tue Aug 9 20:33:57 CEST 2011
Moe, John <jmoe at hatch.com.au> wrote:
>>
>> > 3) How much/what options do I need to configure in the ldap module
>> >config? I've configured server, basedn, filter, groupname_attribute,
>> >groupmembership_filter and groupmembership_attribute, but all I get
>> >is "Operations error". If I add identity and secret, I get a
>> >"Referral" failure. I've also tried the chase_referrals and rebind
>> >options, both with and without
>> > the identity/secret optinos, but they don't seem to change anything.
>> >
>> What does the following give you from the command line:
>> ----
>> ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name
>> sAMAccountName=username
>> ----
>
> Operations error (1)
> Additional information: 00000000: LdapErr: DSID-0C090627, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> However, if I take out the "-x", I got an error saying my Kerberos ticket
> had expired. I did a kdestroy and kinit again, with the "-x", it still gave
> the error above. Without the "-x", I get what looks like a listing of all
> the account attributes. However, at the bottom, it says:
>
> # search reference
> ref:
> ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,DC
> =name
>
> # search result
> search: 5
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 1
> # numReferences: 1
>
> So something still isn't right.
>
To use kerberos with ldapsearch you need to be looking at the SASL
options in the manpage; probably just -Q would be needed.
>> Until you can get 'ldapsearch' to work, you are unlikely to get
>> FreeRADIUS to work. From the debug output and your description, it
>> sounds more like a "how you are using LDAP" rather than "how FreeRADIUS
>> is using LDAP" problem.
>>
>> If you can get ldapsearch to display the attributes you are after, then
>> you can start to tinker with FreeRADIUS.
>
> Yeah, I kinda figured it was a "I'm not sure how to configure LDAP properly
> to talk to my AD". Thanks for the assistance. I'll have a play around with
> ldapsearch for a while and see if I can't figure this out.
>
Found some useful bits at (eugh, Gentoo):
http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP#OpenLDAP_configuration_files
> And if I use ldp.exe (comes with Windows), or Softerra's LDAP Browser, I can
> connect to the same host, bind using the same credentials, use the same
> basedn and search using the same filter, and I get results. So I'm not sure
> what I'm doing wrong.
>
It might be worth putting wireshark on the windows workstation running
ldp.exe if you get desperate. It might give you some hints.
(although I see you have already figured things out in your next posting)
> OT and perhaps reply off list, but I'm curious why you say "ewwww" to
> PHP, and what you would use instead?
>
Flamebait! I nearly fell for it. :)
You have permission to Google-stalk me if you really want to know
what I use.
Cheers
--
Alexander Clouter
.sigmonster says: What soon grows old? Gratitude.
-- Aristotle
More information about the Freeradius-Users
mailing list