Freeradius 3 with LDAP Authentication Bind as User

Alan DeKok aland at deployingradius.com
Fri May 29 23:19:13 CEST 2020 

On May 29, 2020, at 3:06 PM, Jason Leiby <leibyj at gmail.com> wrote:
> 
> I placed the auth-type update control snippet in the authenticate section

  No... you have to update Auth-Type *before* the authenticate section, in the authorize section.

  When you set Auth-Type, you're telling the server which "authenticate" sub-section to use.  So putting an "update control" in the authenticate section does nothing.

> and I still get the same error message of:
> 
> (1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes'
> and 'rebind=yes'. See the ldap module configuration for details.
> (1) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907E1, comment: In
> order to perform this operation a successful bind must be completed on the
> connection., data 0, v2580.
> 
> What is also strange is that the first error about chase_referrals and
> rebind should be gone as I have those flags uncommented in the ldap module

  Those settings are still commented out.  If "chase_referrals" was set, the error would be:

	Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.


> Here is the full output from radiusd -X

  If you read the *rest* of the debug output, you will see it printing out the configuration for the LDAP module.  And "chase_referrals" won't be set.

> ...
> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
> present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.

  Arg.  You're using RedHat, which (in there infinite wisdom) decided to switch libldap to something which isn't compatible with OpenSSL.

  FreeRADIUS uses OpenSSL.  I suspect this incompatibility will cause issues.  For more details, see http://packages.networkradius.com

  We provide *working* packages, and documentation on how to fix issues created by OS vendors.

> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (6)
> (1) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap:    --> (samaccountname=testuser)
> (1) ldap: Performing search in "OU=Employees,OU=Domain
> Users,DC=example,DC=com" with filter "(samaccountname=testuser)", scope
> "sub"
> (1) ldap: Waiting for search result...
> (1) ldap: ERROR: Failed performing search: Please set 'chase_referrals=yes'
> and 'rebind=yes'. See the ldap module configuration for details.

  You don't have "chase_referrals = yes".

  Fix that first,  Then try switching to a different FreeRADIUS package.

  Alan DeKok.

More information about the Freeradius-Users mailing list