Moe, John <j...@hatch.com.au> wrote:
> 
> So I've gone back to FR's LDAP module and thought I'd give "ldap_debug" a 
> try, 
> despite the warning.  Surprisingly, it spit out one extra line in my debug:
> 
> rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter 
> (sAMAccountName=username)
> Unable to chase referral "ldap://my.domain.name/dc=my,dc=domain,dc=name"; (-1: 
> Can't contact LDAP server)
> rlm_ldap: ldap_search() failed: Referral
> 
> If I copy and paste that url "ldap://my.domain.name/dc=my,dc=domain,dc=name"; 
> into my Windows box, it opens LDAP Browser and connects just fine to my 
> domain, so I assume the syntax of that is right.  And if I use just 
> "my.domain.name" in ldapsearch as the host, it works there as well.  Any idea 
> why this wouldn't work?
> 
Looks like[2] if you do not make an anonymous bind to AD your problems 
might go away or alternatively change you base to to be not the root of 
your directory.

> Out of curiousity, do I need to configure OpenLDAP on the server at all?  Or 
> does this module's conf take care of that for me, for this purpose?
> 
No need in theory, I personally do just to fix up certificate 
validation[1] when using ldapsearch and whatnot though.

Cheers

[1] TLS_CACERT /etc/ssl/certs/ca-certificates.crt
[2] 
http://lists.cistron.nl/pipermail/freeradius-users/2005-December/msg00228.html 
        and http://bytes.com/topic/php/answers/11274-use-php-authenticate-ad

-- 
Alexander Clouter
.sigmonster says: You are magnetic in your bearing.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to