freeradius 3 ldap

Davide Garofalo davide.garofalo at gmail.com
Fri Oct 25 15:07:38 CEST 2013 

ok, in freeradius 2 i've used in post-auth  if (LDAP-Group == "blabla") {
... } and all works fine but in freeradius 3??

i've tryed to set scope=base in ldap config and the result is
(0) Waiting for search result...
(0) Search returned no results

The credentials are ok, can you tell me what mean "try using the global
catalog server, instead of a local AD server" ??

if i perform a ldap search
 ldapsearch -h 10.0.0.19 -b "dc=intra,dc=ismaa,dc=it" -D
"cn=squid,dc=intra,dc=ismaa,dc=it" -w "XXXXXXXX"
 '(&(objectCategory=person)(objectClass=user)(sAMAccountName=critest))'

the result is:
# extended LDIF
#
# LDAPv3
# base <dc=intra,dc=ismaa,dc=it> with scope subtree
# filter:
(&(objectCategory=person)(objectClass=user)(sAMAccountName=critest))
# requesting: ALL
#

# critest test, UO_Test2, Computers_SUS, intra.ismaa.it
dn: CN=critest test,OU=UO_Test2,OU=Computers_SUS,DC=intra,DC=ismaa,DC=it
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: critest test
sn: test
givenName: critest
distinguishedName: CN=critest
test,OU=UO_Test2,OU=Computers_SUS,DC=intra,DC=is
 maa,DC=it
instanceType: 4
whenCreated: 20130314153458.0Z
whenChanged: 20131022132244.0Z
displayName: critest test
uSNCreated: 107373282
memberOf: CN=radius_cri,OU=RADIUS,OU=FEM,DC=intra,DC=ismaa,DC=it
memberOf: CN=dipendenti,OU=Internet,DC=intra,DC=ismaa,DC=it
memberOf: CN=K_Internet_Dipendenti,OU=Internet,DC=intra,DC=ismaa,DC=it
uSNChanged: 358179580
name: critest test
objectGUID:: JJ+bzzA9tEGdjQtyd8J8Kw==
userAccountControl: 512
badPwdCount: 1
codePage: 0
countryCode: 0
homeDirectory: \\IASMA003\utenti\critest
homeDrive: M:
badPasswordTime: 130269164412391214
lastLogoff: 0
lastLogon: 130269081333443991
scriptPath: mainbatch.bat
pwdLastSet: 130269217648210862
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAiqcyP6M80yZDFwoyPjAAAA==
accountExpires: 0
logonCount: 95
sAMAccountName: critest
division: 0da9ce1da208fc1751dcd52e479c6384869949f4
sAMAccountType: 805306368
userPrincipalName: critest at intra.ismaa.it
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=intra,DC=ismaa,DC=it
dSCorePropagationData: 20130411130311.0Z
dSCorePropagationData: 20130411130311.0Z
dSCorePropagationData: 20130411130311.0Z
dSCorePropagationData: 16010108151056.0Z

# search reference
ref: ldap://
ForestDnsZones.intra.ismaa.it/DC=ForestDnsZones,DC=intra,DC=ismaa,
 DC=it

# search reference
ref: ldap://
DomainDnsZones.intra.ismaa.it/DC=DomainDnsZones,DC=intra,DC=ismaa,
 DC=it

# search reference
ref: ldap://intra.ismaa.it/CN=Configuration,DC=intra,DC=ismaa,DC=it

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3



surely the fault is mine, but I do not understand where it is...

thank you!!




2013/10/25 Alan DeKok <aland at deployingradius.com>

> Davide Garofalo wrote:
> > i've a big problem with the new module ldap.
>
>   It's a problem with active directory.
>
> > when i perform a ldap request i've this error
> > Fri Oct 25 14:16:30 2013 : ERROR: (0) ERROR: Failed performing search:
> > Please set 'chase_referrals=yes' and 'rebind=yes'. See the ldap module
> > configuration for details.
> > Fri Oct 25 14:16:30 2013 : ERROR: (0) ERROR: Server said: 00000000:
> > LdapErr: DSID-0C090627, comment: In order to perform this operation a
> > successful bind must be completed on the connection., data 0, vece.
>
>   That would seem to be obvious.  Do you have it configured to use the
> correct credentials?  Or, try using the global catalog server, instead
> of a local AD server.
>
>   You might not know this, but AD isn't really an LDAP server.  It
> pretends to be one sometimes.  But for critical issues... it's not.
>
>   DON'T do "-Xxxxxxx".  It's pointless.  "-X" is enough.
>
>   The debug log says:
>
> > Fri Oct 25 11:57:16 2013 : Info: Invalid operator for item Ldap-Group:
> reverting to '=='
>
>   Fix that.  It won't solve the problem, but it will help.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
*Davide Garofalo*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131025/8cb54193/attachment.html>

More information about the Freeradius-Users mailing list