LDAP Module : basedn empty -> error

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Nov 29 16:58:15 CET 2013

On 29 Nov 2013, at 15:39, Dominique Fournier <dominique.fournier at grenoble.cnrs.fr> wrote:

> Hi
> I try to connect my Freeradius to a Zimbra LDAP server with multidomain. In Zimbra, the LDAP tree is something like :
> "ou=people,dc=domain,dc=tld".
> I have some domains in ".fr" and some other in ".org".
> If I configure with the basedn = "dc=fr", Freeradius works well for all the domains in ".fr". But if I try to allow all my domains (with a basedn=""), Freeradius don't accept to authenticate the users.
> In the logs, when there is a reject, I can see :
> [ldap-inner-tunnel] performing user authorization for XXXXX
> [ldap-inner-tunnel] 	expand: (mail=%{User-Name}) -> (mail=XXXXX.fr)
> [ldap-inner-tunnel] 	expand:  ->
>  [ldap-inner-tunnel] unable to create basedn.
> ++[ldap-inner-tunnel] returns invalid
> Invalid user: [XXXXX.fr] (from client localhost port 0 via TLS tunnel)
> I found a topic in the list http://freeradius.1045715.n5.nabble.com/Sending-null-BaseDN-td5716006.html in 2012, but there is no solution.
> I am on a Debian stable Freeradius 2.1.12

It was precisely for this reason that in version 3 there was a distinction made between the failure case of xlats, and the case where the expansion was a zero length string.

It should work fine in 3.0.0 3.0.x or master, there is no solution for that version unless
you can insert some chars into the base_dn that the LDAP server will ignore. You could try a bit of whitespace?


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list