LDAP operations error

Alan DeKok aland at deployingradius.com
Wed Jan 10 15:00:14 CET 2018


On Jan 9, 2018, at 8:11 PM, Tom King via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I am sure this question has been asked many times over, so please point me to a thread if it's already answered.
> 
> We are connected to an AD-backed LDAP service.

  AD is unfortunately a *terrible* LDAP server.

> I've configured these two options in the ldap module config:
> Chase_referrals=yes
> Rebind=yes

  That's good...

> LDAP authentication is fine for about 10 minutes. After a while, freeradius LDAP authentication begins failing:
> ...
>  [ldap] performing search in dc=redacted,dc=Redacted,dc=com, with filter (SamAccountName=redacted-user)
> WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
> WARNING: See the ldap module configuration for details

  I've fixed the code in 3.0.16 so that it doesn't print this complaint if you've already set those flags.

>  [ldap] ldap_search() failed: Operations error

  That's an LDAP server error.  Your LDAP server doesn't like you.

  It's *usually* because the account does not have permission to read the data it's querying/

> It works fine for a while - what causes it to fail after a while?

  Active Directory magic?

  FreeRADIUS does LDAP queries.  If the back-end randomly decides to fail, there isn't much you can do to FreeRADIUS to fix the problem.

  The choices are:

1) use a query which always succeeds, no matter what back-end you're using

2) use a back-end that doesn't suck

 :(

> Does having a loadbalancer in front of the LDAP server make a difference?

  Maybe.  If the back-end databases are *not* all identical, then load-balancing to one will give you "operations error", while load-balancing to another one will work.

  Alan DeKok.




More information about the Freeradius-Users mailing list