Moe, John <j...@hatch.com.au> wrote: >> >> > 3) How much/what options do I need to configure in the ldap module >> >config? I've configured server, basedn, filter, groupname_attribute, >> >groupmembership_filter and groupmembership_attribute, but all I get >> >is "Operations error". If I add identity and secret, I get a >> >"Referral" failure. I've also tried the chase_referrals and rebind >> >options, both with and without >> > the identity/secret optinos, but they don't seem to change anything. >> > >> What does the following give you from the command line: >> ---- >> ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name >> sAMAccountName=username >> ---- > > Operations error (1) > Additional information: 00000000: LdapErr: DSID-0C090627, comment: In order > to perform this operation a successful bind must be completed on the > connection., data 0, vece > > However, if I take out the "-x", I got an error saying my Kerberos ticket > had expired. I did a kdestroy and kinit again, with the "-x", it still gave > the error above. Without the "-x", I get what looks like a listing of all > the account attributes. However, at the bottom, it says: > > # search reference > ref: > ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,DC > =name > > # search result > search: 5 > result: 0 Success > > # numResponses: 3 > # numEntries: 1 > # numReferences: 1 > > So something still isn't right. > To use kerberos with ldapsearch you need to be looking at the SASL options in the manpage; probably just -Q would be needed.
>> Until you can get 'ldapsearch' to work, you are unlikely to get >> FreeRADIUS to work. From the debug output and your description, it >> sounds more like a "how you are using LDAP" rather than "how FreeRADIUS >> is using LDAP" problem. >> >> If you can get ldapsearch to display the attributes you are after, then >> you can start to tinker with FreeRADIUS. > > Yeah, I kinda figured it was a "I'm not sure how to configure LDAP properly > to talk to my AD". Thanks for the assistance. I'll have a play around with > ldapsearch for a while and see if I can't figure this out. > Found some useful bits at (eugh, Gentoo): http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP#OpenLDAP_configuration_files > And if I use ldp.exe (comes with Windows), or Softerra's LDAP Browser, I can > connect to the same host, bind using the same credentials, use the same > basedn and search using the same filter, and I get results. So I'm not sure > what I'm doing wrong. > It might be worth putting wireshark on the windows workstation running ldp.exe if you get desperate. It might give you some hints. (although I see you have already figured things out in your next posting) > OT and perhaps reply off list, but I'm curious why you say "ewwww" to > PHP, and what you would use instead? > Flamebait! I nearly fell for it. :) You have permission to Google-stalk me if you really want to know what I use. Cheers -- Alexander Clouter .sigmonster says: What soon grows old? Gratitude. -- Aristotle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html