This sounds like an issue of chasing LDAP referrals. AD is pretty referral-happy. On a cursory look, it doesn't look like the rlm_ldap module supports chasing referrals. A config option should probably be added to support this.
--Mike On Tue, 2004-09-28 at 07:50, Kellogg, Chris wrote: > Hi, everyone. > > Forgive me, this is a bit of a rehash of an old subject. I am unable to > get authentication via LDAP to work correctly when I set the 'basedn' to > the top-level of our AD structure: > > basedn = "dc=subdomain,dc=domain,dc=com" > > --- radius -sx output --- > rad_recv: Access-Request packet from host nas-test.domain.com:2180, > id=51, length=72 > User-Name = "username" > User-Password = "userpw" > Vendor-3076-Attr-32 = 0x00000009 > NAS-IP-Address = 127.0.0.1 > NAS-Port-Type = Virtual > rlm_ldap: - authenticate > rlm_ldap: login attempt by "username" with password "userpw" > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: (re)connect to msad-gc.subdomain.domain.com:389, > authentication 0 > rlm_ldap: bind as identity/password to msad-gc.subdomain.domain.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: ldap_search() failed: Operations error > rlm_ldap: ldap_release_conn: Release Id: 0 > Sending Access-Reject of id 51 to nas-test.domain.com:2180 > --- /radius -sx output --- > > > Inside that sub, there is a series of OUs and DNs. If I set basedn to > point into one of those: > > basedn = "ou=users,dc=subdomain,dc=domain,dc=com" > > I am able to get authentication for any user account inside the 'users' > OU or inside any OU that is underneath the 'users' OU: > --- radius -sx output --- > rad_recv: Access-Request packet from host nas-test.domain.com:2180, > id=53, length=72 > User-Name = "username" > User-Password = "userpw" > Vendor-3076-Attr-32 = 0x00000009 > NAS-IP-Address = 127.0.0.1 > NAS-Port-Type = Virtual > rlm_ldap: - authenticate > rlm_ldap: login attempt by "username" with password "userpw" > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: (re)connect to msad-gc.subdomain.domain.com:389, > authentication 0 > rlm_ldap: bind as identity/password to msad-gc.subdomain.domain.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: user DN: CN=Name\, > User,OU=Testing,OU=users,DC=subdomain,DC=domain,DC=com > rlm_ldap: (re)connect to msad-gc.subdomain.domain.com:389, > authentication 1 > rlm_ldap: bind as CN=Name\, > User,OU=Testing,OU=users,DC=subdomain,DC=domain,DC=com/userpw to > msad-gc.subdomain.domain.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user username authenticated succesfully > Sending Access-Accept of id 53 to nas-test.domain.com:2180 > --- /radius -sx output --- > > Anyone have any ideas on this? I'm not even sure where to start looking > on this... > > Thanks, > > Chris. > > Christopher M. Kellogg, GCFW > Principle Network Administrator, DynCorp, A CSC Company > 6500 West Freeway Suite 600, Fort Worth, TX > (817)570-1956 Ofc / (817)737-1638 Fax > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html