Active directory groups
Phil Mayers
p.mayers at imperial.ac.uk
Fri May 20 18:03:57 CEST 2011
On 20/05/11 16:27, Doty, Seth wrote:
> I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this
> results in the same failure in the group section.
> rlm_ldap: object not found
> rlm_ldap::ldap_groupcmp: search failed
>
>
> I cant remove the ou=test portion or authentication fails completely and
> i get a reject:
> [ldap] performing user authorization for seth.doty
> [ldap] expand: %{Stripped-User-Name} ->
> [ldap] expand: %{User-Name} -> seth.doty
> [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (CN=seth.doty)
> [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: closing existing LDAP connection
> rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0
> rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter
> (CN=seth.doty)
> rlm_ldap: ldap_search() failed: Operations error
You're just putting random things into the ldap config and hoping it
will work.
Go and speak to the people who run your LDAP service. Ask them for the
correct base DN, bind DN and credentials, group filters and so forth.
Try these LDAP parameters from the command line using ldapsearch. When
it's working, try them with FreeRADIUS.
More information about the Freeradius-Users
mailing list