Returning attributes based on group membership using NTLM_AUTH
Alexander Clouter
alex at digriz.org.uk
Tue Aug 9 20:51:11 CEST 2011
Moe, John <jmoe at hatch.com.au> wrote:
>
> So I've gone back to FR's LDAP module and thought I'd give "ldap_debug" a try,
> despite the warning. Surprisingly, it spit out one extra line in my debug:
>
> rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter (sAMAccountName=username)
> Unable to chase referral "ldap://my.domain.name/dc=my,dc=domain,dc=name" (-1: Can't contact LDAP server)
> rlm_ldap: ldap_search() failed: Referral
>
> If I copy and paste that url "ldap://my.domain.name/dc=my,dc=domain,dc=name"
> into my Windows box, it opens LDAP Browser and connects just fine to my
> domain, so I assume the syntax of that is right. And if I use just
> "my.domain.name" in ldapsearch as the host, it works there as well. Any idea
> why this wouldn't work?
>
Looks like[2] if you do not make an anonymous bind to AD your problems
might go away or alternatively change you base to to be not the root of
your directory.
> Out of curiousity, do I need to configure OpenLDAP on the server at all? Or
> does this module's conf take care of that for me, for this purpose?
>
No need in theory, I personally do just to fix up certificate
validation[1] when using ldapsearch and whatnot though.
Cheers
[1] TLS_CACERT /etc/ssl/certs/ca-certificates.crt
[2] http://lists.cistron.nl/pipermail/freeradius-users/2005-December/msg00228.html
and http://bytes.com/topic/php/answers/11274-use-php-authenticate-ad
--
Alexander Clouter
.sigmonster says: You are magnetic in your bearing.
More information about the Freeradius-Users
mailing list