Hello.
I'm attempting to bring up a FreeRadius-2.1.1 rig that auths against AD.
NTLM authentication seems to work well, but LDAP authorisation appears to
hit a problem when extracting the DN:
rlm_ldap: Entering ldap_groupcmp()
[files] expand: ou=staff,dc=uk,dc=mydomain,dc=com ->
ou=staff,dc=uk,dc=mydomain,dc=com
[files] expand: (sAMAccountName=%{mschap:User-Name}) ->
(sAMAccountName=jhreed)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=staff,dc=uk,dc=mydomain,dc=com, with
filter (sAMAccountName=jhreed)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=G
roupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))(&(
objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=vpn-users,ou=Security
Groups,ou=Groups,dc=uk,dc=mydomain,dc=com, with filter
(|(&(objectClass=GroupOfNames)(member=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom))(&(
objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJohn
Hawkes-Reed\2cOU\3dIT\2cOU\3dStaff\2cDC\3duk\2cDC\3dmydomain\2cDC\3dcom)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group cn=vpn-users,ou=Security
Groups,ou=Groups,dc=uk,dc=mydomain,dc=com not found or user is not a member.
Running ldapsearch against AD shows the following:
# vpn-users, Security Groups, Groups, uk.mydomain.com
dn: CN=vpn-users,OU=Security Groups,OU=Groups,DC=uk,DC=mydomain,DC=
com
objectClass: top
objectClass: group
cn: vpn-users
member: CN=John Hawkes-Reed,OU=IT,OU=Staff,DC=uk,DC=mydomain,DC=com
distinguishedName: CN=vpn-users,OU=Security
Groups,OU=Groups,DC=uk,DC=mydomain,DC=com
I can find a similar bug mentioned in the archives, but that appeared to be
an older version of the code.
Hopefully that's enough debug to enable someone to point me in the right
direction. (Other than 'Don't use AD then...')
--
John Hawkes-Reed
--
Future Publishing Limited (registered company number 2008885) is a wholly owned
subsidiary of Future plc (registered company number 3757874), both of which are
incorporated in England and Wales and share the same registered address at
Beauford Court, 30 Monmouth Street, Bath BA1 2BW.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to which they are addressed. If
you have received this email in error please reply to this email and then
delete it. Please note that any views or opinions presented in this email are
solely those of the author and do not necessarily represent those of Future.
The recipient should check this email and any attachments for the presence of
viruses. Future accepts no liability for any damage caused by any virus
transmitted by this email.
Future may regularly and randomly monitor outgoing and incoming emails and
other telecommunications on its email and telecommunications systems. By
replying to this email you give your consent to such monitoring.
*****
Save resources: think before you print.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
