Bill,
Is your actual username "User\\, Asteroid"? That does not look
correct to me. I would assume that you are looking for
"CN=User\\,OU=Asteroid"... If the comma is indeed a part of the username,
you may want to try to remove it as commas have a special meaning in LDAP.
Also, make sure that your freeradius machine can resolve
"win-dc.win-dom.ctc.edu". Other than that, your LDAP config looks fine.
-Mark
On Mon, 31 May 2004, Bill Shaver wrote:
Dusty,
Thanks. I spent some time working at it from the LDAP angle and it
still fails with the ldapsearch. I will do some more reading/research
to get that working first, then if I have problems getting it work
with FreeRADIUS, I will get back with you all. (If you have some good
recommendations on howto's or other references getting OpenLDAP and MS
AD to talk, I would appreciate the suggestions.)
Thanks for the pointers.
--Bill
>From Dustin Doris on Sat, 29 May 2004 10:40:55 -0400 (EDT)
Hmmm... Perhaps you should double-check just to make sure. Do you have
access to a machine with openldap on it? You could use the ldapsearch
command to attempt a bind to AD.
It would look something like this:
$ ldapsearch -h win-dc.win-dom.ctc.edu -D "CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu" -w
whateveryourpasswordis -b "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
"(SamAccountName=jdummy)"
-Dusty
On Fri, 28 May 2004, Bill Shaver wrote:
> Thanks for the reply. Yes, it is a goofy name, but I am told it does
> have read access on AD (it is in the 'domain user' group).
>
> From: Dustin Doris <[EMAIL PROTECTED]> on Fri, 28 May 2004
13:16:20 -0400
> >
> > Is "CN=User\\, Asteroid,OU=System Accounts..." a valid user with read
> > access to AD?
> >
> > > It seems that this should not be so hard; I am sure I am making a
stupid
> > > mistake somewhere, but I just don't see it.
> > >
> > > I am attempting to set up freeradius 0.9.3 (redhat) to use
(initially) one
> > > of several Windows 2003 AD for authentication. I am, however, unable
to
> > > get the first one to work. I have attached what I think are the
relevant
> > > log and configuration sections. The Windows admin is not seeing any
> > > errors in her logs. On the radius side, it seems that radiusd is not
able to
> > > negotiate a connection that the ldap server will accept.
> > >
> > > Any recommendations would be appreciated.
> > > --Bill
> > >
> > >
> > > --- ldap config from radiusd.conf
> > >
> > > ldap {
> > > server = "win-dc.win-dom.ctc.edu"
> > > port = 636
> > > identity = "CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
> >
> > ** Is "CN=User\\, Asteroid,OU=System Accounts... a valid user with read
> > access to AD?
> >
> > > password = "****"
> > > start_tls = yes
> > > basedn = "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
> > > filter = "(SamAccountName=%u)"
> > > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > > ldap_connections_number = 5
> > > timeout = 4
> > > timelimit = 3
> > > net_timeout = 1
> > > ldap_debug = 0x0028
> > > }
> <<snipped>>
--__--__--
CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or
privileged, undisclosed or otherwise confidential information. If you have
received this e-mail in error, you are hereby notified that any review,
copying or distribution of this message in whole or in part is strictly
prohibited. Please inform the sender immediately and destroy the original
transmittal. Thank you for your cooperation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
