LDAP operations error
Alan DeKok
aland at deployingradius.com
Wed Jan 10 15:00:14 CET 2018
On Jan 9, 2018, at 8:11 PM, Tom King via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I am sure this question has been asked many times over, so please point me to a thread if it's already answered.
>
> We are connected to an AD-backed LDAP service.
AD is unfortunately a *terrible* LDAP server.
> I've configured these two options in the ldap module config:
> Chase_referrals=yes
> Rebind=yes
That's good...
> LDAP authentication is fine for about 10 minutes. After a while, freeradius LDAP authentication begins failing:
> ...
> [ldap] performing search in dc=redacted,dc=Redacted,dc=com, with filter (SamAccountName=redacted-user)
> WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
> WARNING: See the ldap module configuration for details
I've fixed the code in 3.0.16 so that it doesn't print this complaint if you've already set those flags.
> [ldap] ldap_search() failed: Operations error
That's an LDAP server error. Your LDAP server doesn't like you.
It's *usually* because the account does not have permission to read the data it's querying/
> It works fine for a while - what causes it to fail after a while?
Active Directory magic?
FreeRADIUS does LDAP queries. If the back-end randomly decides to fail, there isn't much you can do to FreeRADIUS to fix the problem.
The choices are:
1) use a query which always succeeds, no matter what back-end you're using
2) use a back-end that doesn't suck
:(
> Does having a loadbalancer in front of the LDAP server make a difference?
Maybe. If the back-end databases are *not* all identical, then load-balancing to one will give you "operations error", while load-balancing to another one will work.
Alan DeKok.
More information about the Freeradius-Users
mailing list