rlm_ldap fails but ldapsearch works

uj2.hahn at posteo.de uj2.hahn at posteo.de
Sun Aug 2 18:32:50 CEST 2020


And you should enable cacheable_name or cacheable_dn (=yes)  if not done 
already!
Regards
Uwe

On 02.08.2020 18:01, uj2.hahn at posteo.de wrote:
> Victor,
> did you set the
> name_attribute = cn (or ou) in ldap module correctly?
>
> Regards
> Uwe
>
>
> On 02.08.2020 16:47, Victor via Freeradius-Users wrote:
>> Hello Alan,
>>
>> Well, from the wireshark LDAP protocol decode:
>>
>> -the answer to rlm_ldap:
>>
>> Lightweight Directory Access Protocol
>>      LDAPMessage searchResDone(6) success [2 results]
>>          messageID: 6
>>          protocolOp: searchResDone (5)
>>              searchResDone
>>                  resultCode: success (0)
>>                  matchedDN:
>>                  errorMessage:
>>          [Response To: 16]
>>          [Time: 0.000694000 seconds]
>>
>> -the answer to ldapsearch:
>>
>> Lightweight Directory Access Protocol
>>      LDAPMessage searchResEntry(2) 
>> "cn=ipausers,cn=groups,cn=accounts,dc=xxxx,dc=local" [1 result]
>>          messageID: 2
>>          protocolOp: searchResEntry (4)
>>              searchResEntry
>>                  objectName: 
>> cn=ipausers,cn=groups,cn=accounts,dc=xxxx,dc=local
>>                  attributes: 5 items
>>                      PartialAttributeList item objectClass
>>                          type: objectClass
>>                          vals: 5 items
>>                              AttributeValue: top
>>                              AttributeValue: groupofnames
>>                              AttributeValue: nestedgroup
>>                              AttributeValue: ipausergroup
>>                              AttributeValue: ipaobject
>>                      PartialAttributeList item description
>>                          type: description
>>                          vals: 1 item
>>                              AttributeValue: Default group for all users
>>                      PartialAttributeList item cn
>>                          type: cn
>>                          vals: 1 item
>>                              AttributeValue: ipausers
>>                      PartialAttributeList item ipaUniqueID
>>                          type: ipaUniqueID
>>                          vals: 1 item
>>                              AttributeValue: 
>> c862bf44-d36b-11ea-84a9-3ed34312a8ce
>>                      PartialAttributeList item member
>>                          type: member
>>                          vals: 1 item
>>                              AttributeValue: 
>> uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local
>>          [Response To: 8]
>>          [Time: 0.001658000 seconds]
>> Lightweight Directory Access Protocol
>>      LDAPMessage searchResDone(2) success [1 result]
>>          messageID: 2
>>          protocolOp: searchResDone (5)
>>              searchResDone
>>                  resultCode: success (0)
>>                  matchedDN:
>>                  errorMessage:
>>          [Response To: 8]
>>          [Time: 0.001658000 seconds]
>>
>>
>> rlm_ldap clearly doesn't get the same answer, almost to the same 
>> request (timeLimit differs):
>>
>> -from rlm_ldap:
>> Lightweight Directory Access Protocol
>>      LDAPMessage searchRequest(6) "dc=xxxx,dc=local" wholeSubtree
>>          messageID: 6
>>          protocolOp: searchRequest (3)
>>              searchRequest
>>                  baseObject: dc=xxxx,dc=local
>>                  scope: wholeSubtree (2)
>>                  derefAliases: neverDerefAliases (0)
>>                  sizeLimit: 0
>>                  timeLimit: 10
>>                  typesOnly: False
>>                  Filter: 
>> (&(cn=ipausers)(member=uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local))
>>                  attributes: 0 items
>>          [Response In: 17]
>>
>> -from ldapsearch:
>>
>> Lightweight Directory Access Protocol
>>      LDAPMessage searchRequest(2) "dc=xxxx,dc=local" wholeSubtree
>>          messageID: 2
>>          protocolOp: searchRequest (3)
>>              searchRequest
>>                  baseObject: dc=xxxx,dc=local
>>                  scope: wholeSubtree (2)
>>                  derefAliases: neverDerefAliases (0)
>>                  sizeLimit: 0
>>                  timeLimit: 0
>>                  typesOnly: False
>>                  Filter: 
>> (&(cn=ipausers)(member=uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local))
>>                  attributes: 0 items
>>          [Response In: 9]
>>
>> The bind user is the same:
>>
>> Lightweight Directory Access Protocol
>>      LDAPMessage bindRequest(4) 
>> "uid=baseuser,cn=users,cn=accounts,dc=xxxx,dc=local" simple
>>          messageID: 4
>>          protocolOp: bindRequest (0)
>>              bindRequest
>>          [Response In: 14]
>>
>>
>> Thanks again
>>
>>
>>
>>
>>
>>
>>
>>   On Saturday, August 1, 2020, 01:57:40 PM UTC, Alan DeKok 
>> <aland at deployingradius.com> wrote:
>>
>>
>>
>>
>>
>>   On Jul 29, 2020, at 12:24 PM, Victor via Freeradius-Users 
>> <freeradius-users at lists.freeradius.org> wrote:
>>> Hello,
>>>
>>> I'm trying to check whether a user belongs to a group or not:
>>> ...
>>> but
>>>
>>> ldapsearch  -b "dc=domain,dc=local" 
>>> "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" 
>>> -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
>>    See mods-available/ldap in recent releases.  It has detailed 
>> instructions for how to turn the FreeRADIUS configuration items into 
>> ldapsearch arguments.
>>
>>    There's no real magic here.  If FR returns different data than 
>> ldapsearch, then the only cause is that the searches are different.  
>> i.e. search string, name/password used to search, etc.
>>
>>    Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list