Alan;
I've tested it further and you are right, the search isn't recursively
entering the tree. What in the search changed between 1.01 (which works)
and 1.04 (which returns errors when trying to enter the OU's)? If is
possible to revert to the 1.01 search under 1.04?
many thanks
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+++++++++++++++++++++++++++++++++++++++++++++++++
CRICOS Registration: 00004G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+++++++++++++++++++++++++++++++++++++++++++++++++
"Alan DeKok"
<[EMAIL PROTECTED]>
Sent by: To
freeradius-users- FreeRadius users mailing list
bounces+s.walsh=s <[EMAIL PROTECTED]
ignadou.acu.edu.a org>
[EMAIL PROTECTED] cc
s.org
Subject
Re: AD ldap bind works with 1.01,
25/01/2006 04:16 fails with 1.04
AM
Please respond to
FreeRadius users
mailing list
<freeradius-users
@lists.freeradius
.org>
Stephen Walsh <[EMAIL PROTECTED]> wrote:
> ldap_search() failed: Operations error
It's a combination of factors. What's happening is that your LDAP
search isn't fully qualified, so when something isn't found in
"students", AD returns a referral to "staff". OpenLDAP fails to use
the authentication credentials for the referral that it was given for
the original query.
And lo, "operations error", which is such a useful message.
It's a cross-domain referral problem. You have a "staff" domain,
and a "student" domain, each of which trusts each other in AD.
The solution is to fully qualify all of the queries so that AD
doesn't return a referral. Usually adding "ou=people" (or something
like that) will usually do the trick.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html