LDAP search failed

Danner, Mearl jmdanner at samford.edu
Fri Jul 3 16:20:24 CEST 2015 

> 
> 
> In the radius logs, this time I'm getting this error:
> 
> [ldap] performing user authorization for hatim
> [ldap]  expand: sAMAccountName=3D%{User-Name} ->
> sAMAccountName=3Dhatim
> [ldap]  expand: dc=3Dad,dc=3D****,dc=3Dfr ->
> dc=3Dad,dc=3D****,dc=3Dfr
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] attempting LDAP reconnection
>   [ldap] (re)connect to myserver:389, authentication 0
>   [ldap] bind as
> cn=3DLinOTP-Auth,ou=3DAD-
> Man,ou=3DRessources,dc=3Dad,dc=3D****,dc=3Dfr/****=
> **** to
> myserver:389
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
>   [ldap] performing search in dc=3Dad,dc=3D****,dc=3Dfr, with filter
> sAMAccountName=3Dhatim
>   [ldap] rebind to URL ldap://*****
>   [ldap] rebind to URL ldap://*****
>   [ldap] rebind to URL ldap://*****
> [ldap] no uid attribute - access denied by default

Active Directory has no uid by default. The schema needs to be extended to provide it. And most provisioning software does not populate it even if it exists.


>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] =3D userlock
> 
> 
> Is it an ldapsearch problem?
> 
> 
> Thanks for your help!
> 
> 2015-07-03 12:52 GMT+02:00 Hatim CHIKHI <hatim.networking at gmail.com>:
> 
> > Hi arr2036,
> >
> > Thanks for your reply.
> >
> > When I issue an ldap search I get many information about the user I'm
> > looking for but I'm not sure if the search is successful:
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 8
> > # numEntries: 1
> > # numReferences: 6
> >
> >
> >
> > In the radius logs, this time I'm getting this error:
> >
> > [ldap] performing user authorization for hatim
> > [ldap]  expand: sAMAccountName=%{User-Name} ->
> sAMAccountName=hatim
> > [ldap]  expand: dc=ad,dc=****,dc=fr -> dc=ad,dc=****,dc=fr
> >   [ldap] ldap_get_conn: Checking Id: 0
> >   [ldap] ldap_get_conn: Got Id: 0
> >   [ldap] attempting LDAP reconnection
> >   [ldap] (re)connect to myserver:389, authentication 0
> >   [ldap] bind as
> > cn=LinOTP-Auth,ou=AD-
> Man,ou=Ressources,dc=ad,dc=****,dc=fr/******** to
> > myserver:389
> >   [ldap] waiting for bind result ...
> >   [ldap] Bind was successful
> >   [ldap] performing search in dc=ad,dc=****,dc=fr, with filter
> > sAMAccountName=hatim
> >   [ldap] rebind to URL ldap://*****
> >   [ldap] rebind to URL ldap://*****
> >   [ldap] rebind to URL ldap://*****
> > [ldap] no uid attribute - access denied by default
> >   [ldap] ldap_release_conn: Release Id: 0
> > ++[ldap] = userlock
> >
> >
> > Is it an ldapsearch problem?
> >
> >
> > Thanks for your help!
> >
> >
> >
> >
> >
> > 2015-07-02 17:51 GMT+02:00 arr2036 [via FreeRADIUS] <
> > ml-node+s1045715n5735089h90 at n5.nabble.com>:
> >
> >>
> >> > On 2 Jul 2015, at 11:46, Hatim CHIKHI <[hidden email]
> >> <http:///user/SendEmail.jtp?type=node&node=5735089&i=0>> wrote:
> >> >
> >> > Now, when I add password = "****" to the ldap config I get this error
> >> > instead:
> >> >
> >> >  [ldap] waiting for bind result ...
> >> >  [ldap] Bind was successful
> >> >  [ldap] performing search in dc=ad,dc=domain,dc=fr, with filter
> >> > sAMAccountName=hatim
> >> >  [ldap] ldap_search() failed: Timed out while waiting for server to
> >> > respond. Please increase the timeout.
> >> >  [ldap] ldap_release_conn: Release Id: 0
> >> > ++[ldap] = fail
> >> Likely hopping around the AD forrest and timing out.
> >>
> >> Use ldapsearch to repeat the search and check the results.
> >>
> >> If it times out as well then that's your issue. Fix AD.
> >>
> >> If not, then compare the wireshark captures to see what's different
> >> between the two searches.
> >>
> >> If you think rlm_ldap is doing something wrong, upgrade to v3.0.8, and
> >> state what you think it should do different.
> >>
> >> -Arran
> >>
> >>
> >> >
> >> > I increased the timeout but in vain!!
> >> >
> >> > 2015-07-02 17:29 GMT+02:00 Hatim CHIKHI <[hidden email]
> >> <http:///user/SendEmail.jtp?type=node&node=5735089&i=1>>:
> >> >
> >> >> Thanks guys for your reply.
> >> >>
> >> >> I upgraded to freeradius 2.2.7 but I still have the same problem.
> >> >>
> >> >> If it is not a version issue, what whould be the cause of the problem?
> >> >>
> >> >>
> >> >> 2015-07-02 13:07 GMT+02:00 Alan DeKok <[hidden email]
> >> <http:///user/SendEmail.jtp?type=node&node=5735089&i=2>>:
> >> >>
> >> >>> On Jul 2, 2015, at 5:31 AM, Hatim CHIKHI <[hidden email]
> >> <http:///user/SendEmail.jtp?type=node&node=5735089&i=3>>
> >> >>> wrote:
> >> >>>> I'm using freeRaduis version 2.1.12+dfsg-1.2.
> >> >>>
> >> >>>  You should upgrade.
> >> >>>
> >> >>>> I'm trying to get some parameters from an AD server but I have
> >> problems
> >> >>>> with the search filter.
> >> >>>> ...
> >> >>>> [ldap] ldap_search() failed: Operations error
> >> >>>
> >> >>>  This is fixed (and documented) in later versions of the server.
> >> >>> Install 2.2.7.
> >> >>>
> >> >>>  Alan DeKok.
> >> >>>
> >> >>>
> >> >>> -
> >> >>> List info/subscribe/unsubscribe? See
> >> >>> http://www.freeradius.org/list/users.html
> >> >>>
> >> >>
> >> >>
> >> > -
> >> > List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >> Arran Cudbard-Bell <[hidden email]
> >> <http:///user/SendEmail.jtp?type=node&node=5735089&i=4>>
> >> FreeRADIUS development team
> >>
> >> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >> *signature.asc* (890 bytes) Download Attachment
> >>
> <http://freeradius.1045715.n5.nabble.com/attachment/5735089/0/signature
> .asc>
> >>
> >>
> >> ------------------------------
> >>  If you reply to this email, your message will be added to the
> >> discussion below:
> >>
> >> http://freeradius.1045715.n5.nabble.com/LDAP-search-failed-
> tp5735079p5735089.html
> >>  To unsubscribe from FreeRADIUS, click here
> >>
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro
> =unsubscribe_by_code&node=2740692&code=aGF0aW0ubmV0d29ya2luZ0B
> nbWFpbC5jb218Mjc0MDY5MnwxNzU1NTY4NDU2>
> >> .
> >> NAML
> >>
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro
> =macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.n
> aml.namespaces.BasicNamespace-
> nabble.view.web.template.NabbleNamespace-
> nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscrib
> ers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-
> send_instant_email%21nabble%3Aemail.naml>
> >>
> >
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list