Freeipa and Freeradius integration
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Apr 22 14:37:09 CEST 2015
> On 22 Apr 2015, at 12:14, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>>> That's not very helpful. We'd need the hex output at least (each of those dots is an unprintable char), or preferably a pcap file (you can send that to me directly if you prefer).
>>
>> I created a pcap file and it is attached. I think it caught the good packet.
>
> Can you resend. I've allowed 'application/octet-stream' as an attachment, so the listserv should preserve it. Still building the list of useful content types.
>
> On the plus side, no horrifically formatted HTML email, and there's been a noticeable drop in garish signature images :)
Ok, after reviewing the capture (sent off list)...
The search is returning multiple entries for the same object, the first of which holds no attributes. FreeRADIUS only processes the first result, which is why no attributes are being added. This is sane behaviour on the part of FreeRADIUS.
RFC4511 doesn't mention a situation where multiple searchResults can be returned for the same object, but neither does it expressly forbid it.
Your capture missed the search request, so I can't tell if that was because some unusual search control got added.
Can you send a capture with the search request too? Preferably one from ldapsearch and one from FreeRADIUS so we can see the differences. Also complete output from ldapsearch would be useful, with maximum verbosity.
I imagine it'll show two search results returned, one with no attributes, and one with attributes. If it only displays one, i'll check through the OpenLDAP code and figure out why. Maybe they know something we don't...
What's odd is this would have been an issue with v2.x.x and v1.x.x, but it's only been reported now... So either this is a new bug/feature in RedHat's LDAP server, or your LDAP configuration is broken.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150422/8c428dd0/attachment.sig>
More information about the Freeradius-Users
mailing list