Moe, John <j...@hatch.com.au> wrote: > > So I've gone back to FR's LDAP module and thought I'd give "ldap_debug" a > try, > despite the warning. Surprisingly, it spit out one extra line in my debug: > > rlm_ldap: performing search in dc=my,dc=domain,dc=name, with filter > (sAMAccountName=username) > Unable to chase referral "ldap://my.domain.name/dc=my,dc=domain,dc=name" (-1: > Can't contact LDAP server) > rlm_ldap: ldap_search() failed: Referral > > If I copy and paste that url "ldap://my.domain.name/dc=my,dc=domain,dc=name" > into my Windows box, it opens LDAP Browser and connects just fine to my > domain, so I assume the syntax of that is right. And if I use just > "my.domain.name" in ldapsearch as the host, it works there as well. Any idea > why this wouldn't work? > Looks like[2] if you do not make an anonymous bind to AD your problems might go away or alternatively change you base to to be not the root of your directory.
> Out of curiousity, do I need to configure OpenLDAP on the server at all? Or > does this module's conf take care of that for me, for this purpose? > No need in theory, I personally do just to fix up certificate validation[1] when using ldapsearch and whatnot though. Cheers [1] TLS_CACERT /etc/ssl/certs/ca-certificates.crt [2] http://lists.cistron.nl/pipermail/freeradius-users/2005-December/msg00228.html and http://bytes.com/topic/php/answers/11274-use-php-authenticate-ad -- Alexander Clouter .sigmonster says: You are magnetic in your bearing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html