Access permissions FreeRadius-Google LDAP failed
jan.sellmann at mpimet.mpg.de
Wed Oct 6 18:20:56 CEST 2021
looks like you've messed up with the use of the backslashes (\) and
unintentionally escaped some of the command switches for ldapsearch:
> root at FreeRadius:~#
LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key \ldapsearch -H
ldaps://ldap.google.com:636 \ -b dc=foundationacademy,dc=net
'(mail='benjamin.diehl at foundationacademy.net')'
You probably wanted to use
"dc=foundationacademy,dc=net" as the search base (-b)
'(mail='benjamin.diehl at foundationacademy.net')' as the search filter
no special attritbute list
What the server acutally received is:
# extended LDIF
# base <> (default) with scope subtree
^an empty search base (so the RootDSE is used as the default) because
you've escaped the -b option
# filter: (objectclass=*)
^ no specific search filter so the default of any object class is used
# requesting: -b dc=foundationacademy,dc=net
(mail=benjamin.diehl at foundationacademy.net)
^ a maleformed attribute list due to the messed up escapes, so the
server is looking up the attributes:
"(mail=benjamin.diehl at foundationacademy.net)"
which do not exist and therefore the server only responds with the dn of
the rootDSE node which is what your ldapsearch actually asked for:
(it might look a bit confusing and as if the search didn't return anything)
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
^actually the search for 3 attributes (search: 3) was successful
(result: 0 Success) and returned 1 entry (numEntries: 1) - the rootDSE
Even LDAP is nice sometimes and may tell you what happened (not to the
extend of freeradius of course ;-)), but as always it takes time to see
the information is actually there and even more experience to understand it.
Sorry for the lengthy explanation which might be a bit off-topic for
this list. I still hope it may help you and others with similar problems.
To the concrete problem: eliminate all the backslashes from your
ldapsearch and try this in one line:
LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key ldapsearch -H
ldaps://ldap.google.com:636 -b 'dc=foundationacademy,dc=net'
'(mail=benjamin.diehl at foundationacademy.net)'
and you might get a step further. You will also notice the change in the
commented output of the search the server will have performed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5201 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users