ldap authentication fails with windows 2008 server when base dn does not contain cn

Winson Fernandes winsonfernandes at gmail.com
Fri Jan 24 05:50:27 CET 2014


Hi,

"resending this post as the previous post was of larger size and hence
blocked"

When I configure the freeradius 2.1.12 with the following ldap config where
base-dn does not have the "cn=Users" configured,
*basedn = "dc=KC-DC-Solutions,dc=com" *the authentication does not work
fine with windows 2008 active directory.
The same works fine with a server configured on linux box with openldap.
The openldap is able to search the user and authentication goes fine

        ldap ldap_primary {
                server = 172.31.100.250
                port = 389
                identity =
"cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com"
                password = "abcdefg"
                *basedn = "dc=KC-DC-Solutions,dc=com"*
                filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupacces"
                dictionary_mapping = ${raddbdir}/ldap.attrma

With windows AD the free radius fails in authenticating the client with the
reason "  [ldap_primary] ldap_search() failed: Timed out while waiting for
server to respond. Please increase the timeout."
The below are the radiusd logs

[ldap_primary] rlm_ldap: performing user authorization for Kiran
[ldap_primary] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[ldap_primary]  expand:
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=Kiran)
[ldap_primary]  expand: dc=KC-DC-Solutions,dc=com ->
dc=KC-DC-Solutions,dc=com
  [ldap_primary] ldap_get_conn: Checking Id: 0
  [ldap_primary] ldap_get_conn: Got Id: 0
  [ldap_primary] attempting LDAP reconnection
  [ldap_primary] (re)connect to 172.31.100.250:389, authentication 0
  [ldap_primary] bind as
cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com/abcdefg to
172.31.100.250:389
  [ldap_primary] waiting for bind result ...
  [ldap_primary] Bind was successful
  [ldap_primary] performing search in dc=KC-DC-Solutions,dc=com, with
filter (sAMAccountName=Kiran)
  [ldap_primary] ldap_search() failed: Timed out while waiting for server
to respond. Please increase the timeout.
ldap server 172.31.100.250 is dead
  [ldap_primary] attempting LDAP reconnection
  [ldap_primary] closing existing LDAP connection
  [ldap_primary] (re)connection attempt failed
[ldap_primary] search failed
  [ldap_primary] ldap_release_conn: Release Id: 0
+++[ldap_primary] returns fail
++- policy redundant returns fail
Invalid user: [Kiran] (from client localhost port 1 cli 00-1E-E5-F9-BE-BC


When I configure the same with basedn =
"cn=Users,dc=KC-DC-Solutions,dc=com", the ldap search works fine and
authentication goes fine
      ldap ldap_primary {
                server = 172.31.100.250
                port = 389
                identity =
"cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com"
                password = "abcdefg"
                basedn = "cn=Users,dc=KC-DC-Solutions,dc=com"
                filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                access_attr = "dialupacces"
                dictionary_mapping = ${raddbdir}/ldap.attrmap

Please let me know what needs to be done for the ldap search to work with
windows AD when the cn is not configured.

Regards,
Winson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140124/0b34c153/attachment-0001.html>


More information about the Freeradius-Users mailing list