Freeradius 3 - eDirectory Problem

Willy Offermans FreeWilly at Offermans.Rompen.nl
Tue May 17 15:35:51 CEST 2016 

Dear Bebbet,

Your answer is already included in the debug information:

``specify a more restrictive base_dn, filter or scope''

Your ``ldap'' server returns more than 1 result upon request. This is not 
expected.


On Tue, May 17, 2016 at 03:20:12PM +0200, Bebbet van Dinges wrote:
> Hello,
> 
> I'm trying to authorize/authenticate my wifi users against edirectory
> with Freeradius3, which doesn't work. It worked with this configuration
> in 2.2, but doesn't seem to provide the required result anymore.
> 
> I hope you can give me some pointers where to look next.
> 
> Yours sincerely,
> Bebbet
> 
> 
> from raddebug:
> 
> (74) Tue May 17 12:19:27 2016: Debug: openldap: Performing unfiltered
> search in "", scope "sub"
> (74) Tue May 17 12:19:27 2016: Debug: openldap: Waiting for search result...
> (74) Tue May 17 12:19:30 2016: ERROR: openldap: Ambiguous search result,
> returned 1723 unsorted entries (should return 1 or 0).  Enable sorting,
> or specify a more restrictive base_dn, filter or scope
> (74) Tue May 17 12:19:30 2016: ERROR: openldap: The following entries
> were returned:
> 
> 
> [All the records in our directory\
> 
> 
> /usr/loca/pf/raddb/modules-enabled/ldap:
> 
>         ldap openldap {
>                 server = "dns3.desaad.nl"
>                 port = 636
>                 identity = "cn=admin,o=desaad"
>                 password = "You wish.."
>                 basedn = "o=desaad"
>         #       filter = "(cn=%{mschap:User-Name})"
>         filter
> ="(&(objectClass=inetOrgPerson)(uid=%{Stripped-User-Name:-%{User-Name}}))"
>                 ldap_connections_number = 5
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
> 
> 
>                 access_attr = cn
>                 password_attribute = nspmPassword
> 
> 
>                 tls {
>                         start_tls = no
>                         require_cert = "allow"
>                 }
>                 dictionary_mapping = ${confdir}/ldap.attrmap
>                 edir_account_policy_check = yes
> 
>                 keepalive {
>                         # LDAP_OPT_X_KEEPALIVE_IDLE
>                         idle = 60
> 
>                         # LDAP_OPT_X_KEEPALIVE_PROBES
>                         probes = 3
> 
>                         # LDAP_OPT_X_KEEPALIVE_INTERVAL
>                         interval = 3
>                 }
>         }
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Will

*************************************
 W.K. Offermans

                                       Powered by ....

                                            (__)
                                         \\\'',)
                                           \/  \ ^
                                           .\._/_)

                                       www.FreeBSD.org

More information about the Freeradius-Users mailing list