ldap authentication fails with windows 2008 server when base dn does not contain cn
Winson Fernandes
winsonfernandes at gmail.com
Fri Jan 24 05:50:27 CET 2014
Hi,
"resending this post as the previous post was of larger size and hence
blocked"
When I configure the freeradius 2.1.12 with the following ldap config where
base-dn does not have the "cn=Users" configured,
*basedn = "dc=KC-DC-Solutions,dc=com" *the authentication does not work
fine with windows 2008 active directory.
The same works fine with a server configured on linux box with openldap.
The openldap is able to search the user and authentication goes fine
ldap ldap_primary {
server = 172.31.100.250
port = 389
identity =
"cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com"
password = "abcdefg"
*basedn = "dc=KC-DC-Solutions,dc=com"*
filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupacces"
dictionary_mapping = ${raddbdir}/ldap.attrma
With windows AD the free radius fails in authenticating the client with the
reason " [ldap_primary] ldap_search() failed: Timed out while waiting for
server to respond. Please increase the timeout."
The below are the radiusd logs
[ldap_primary] rlm_ldap: performing user authorization for Kiran
[ldap_primary] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap_primary] expand:
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=Kiran)
[ldap_primary] expand: dc=KC-DC-Solutions,dc=com ->
dc=KC-DC-Solutions,dc=com
[ldap_primary] ldap_get_conn: Checking Id: 0
[ldap_primary] ldap_get_conn: Got Id: 0
[ldap_primary] attempting LDAP reconnection
[ldap_primary] (re)connect to 172.31.100.250:389, authentication 0
[ldap_primary] bind as
cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com/abcdefg to
172.31.100.250:389
[ldap_primary] waiting for bind result ...
[ldap_primary] Bind was successful
[ldap_primary] performing search in dc=KC-DC-Solutions,dc=com, with
filter (sAMAccountName=Kiran)
[ldap_primary] ldap_search() failed: Timed out while waiting for server
to respond. Please increase the timeout.
ldap server 172.31.100.250 is dead
[ldap_primary] attempting LDAP reconnection
[ldap_primary] closing existing LDAP connection
[ldap_primary] (re)connection attempt failed
[ldap_primary] search failed
[ldap_primary] ldap_release_conn: Release Id: 0
+++[ldap_primary] returns fail
++- policy redundant returns fail
Invalid user: [Kiran] (from client localhost port 1 cli 00-1E-E5-F9-BE-BC
When I configure the same with basedn =
"cn=Users,dc=KC-DC-Solutions,dc=com", the ldap search works fine and
authentication goes fine
ldap ldap_primary {
server = 172.31.100.250
port = 389
identity =
"cn=Administrator,cn=Users,dc=KC-DC-Solutions,dc=com"
password = "abcdefg"
basedn = "cn=Users,dc=KC-DC-Solutions,dc=com"
filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupacces"
dictionary_mapping = ${raddbdir}/ldap.attrmap
Please let me know what needs to be done for the ldap search to work with
windows AD when the cn is not configured.
Regards,
Winson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140124/0b34c153/attachment-0001.html>
More information about the Freeradius-Users
mailing list