LDAP operations error

Tom King T.King at F5.com
Wed Jan 10 02:11:44 CET 2018

I am sure this question has been asked many times over, so please point me to a thread if it's already answered.

We are connected to an AD-backed LDAP service.

I've configured these two options in the ldap module config:

LDAP authentication is fine for about 10 minutes. After a while, freeradius LDAP authentication begins failing:

rad_recv: Access-Request packet from host port 52361, id=92, length=98
     User-Name = "redacted-user"
     User-Password = "redacted-password"
     NAS-Port-Id = "ssh"
     Calling-Station-Id = "redacted-fqdn"
     Service-Type = NAS-Prompt-User
     NAS-Port = 0
     NAS-IP-Address =
# Executing section authorize from file /etc/freeradius/radiusd.conf
+group authorize {
++[preprocess] = ok
[ldap] performing user authorization for redacted-user
[ldap]     expand: (SamAccountName=%u) -> (SamAccountName=redacted-user)
[ldap]     expand: dc=redacted,dc=redacted,dc=com -> dc=redacted,dc=redacted,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] closing existing LDAP connection
  [ldap] (re)connect to ldaps://redacted-ldaps-server-url, authentication 0
  [ldap] setting TLS Require Cert to never
  [ldap] bind as _binduser/bindpassword to ldaps://redacted-ldaps-server-url
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=redacted,dc=Redacted,dc=com, with filter (SamAccountName=redacted-user)
WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
WARNING: See the ldap module configuration for details
  [ldap] ldap_search() failed: Operations error
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = fail
+} # group authorize = fail
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 92 to port 52361
Waking up in 4.9 seconds.
Cleaning up request 4 ID 92 with timestamp +2501
Ready to process requests.

It works fine for a while - what causes it to fail after a while? Does having a loadbalancer in front of the LDAP server make a difference?



Thomas King  |  Sr Lab Network Engineer
D +1-303-305-0228  M +1-206-384-0698







More information about the Freeradius-Users mailing list