Re: AD ldap bind works with 1.01, fails with 1.04
Stephen Walsh <[EMAIL PROTECTED]> wrote: > Thanks for the reply. We ended up reverting the production box to FC3 and > 1.01, only to have it fail with the same error! I'm not surprised. I don't think it *ever* worked in 1.0.1. > I also found an entry on a forum that referred to having to change the > hueristic search value on the AD DC, I've pasted it below in the hope it > may help someone in the future with the same problem. That helps a lot. I've added it to doc/rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
> I have no idea. I've looked, and can't see anything that would
>affect that.
>
> Alan DeKok.
Hi Alan
Thanks for the reply. We ended up reverting the production box to FC3 and
1.01, only to have it fail with the same error!
I've since written a ldap module for each student campus/ou specifying it
down to ou to search in.
ldap Canberra {
basedn = "ou=students,ou=users,ou=signadou,dc=student(etc)"
}
and then added an entry for each in Authorize and Authenicate.
Why my test box with FC3/1.01 works and nothing else does is beyond me, but
this clunky option seems to work. It may be of interest to note that our
Student tree is native w2k3, while our staff tree is w2k.
I also found an entry on a forum that referred to having to change the
hueristic search value on the AD DC, I've pasted it below in the hope it
may help someone in the future with the same problem.
dmeehan at flcancer dot com
12-Aug-2004 04:26
If your having problems running LDAP searches on the base DC against Active
Directory 2k3, you need to set dsHeuristics to 002 in Active Directory.
This allows searches to function similar to how they did in Active
Directory 2k2. You can update dsHeuristics by launching ldp.exe goto
'connection' and create a new connection. Then goto bind and bind to your
ldap server. Next select the 'Browse' menu and choose 'modify'. The DN
*might* look like this:
CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=mycompany,DC=com
Attribute is: dsHeuristics
Value is: 002
Set the operation to replace and you should be set.
This solves the 'Operations error' error that happens when attempting to
search without specifying an OU.
-d
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Stephen Walsh <[EMAIL PROTECTED]> wrote: > I've tested it further and you are right, the search isn't recursively > entering the tree. What in the search changed between 1.01 (which works) > and 1.04 (which returns errors when trying to enter the OU's)? I have no idea. I've looked, and can't see anything that would affect that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Alan; I've tested it further and you are right, the search isn't recursively entering the tree. What in the search changed between 1.01 (which works) and 1.04 (which returns errors when trying to enter the OU's)? If is possible to revert to the 1.01 search under 1.04? many thanks Stephen Walsh [EMAIL PROTECTED] Client Support Officer (Technology) Australian Catholic University (Limited) PO Box 256, Dickson ACT 2602 Phone: +61 2 6209 1133 Fax: +61 2 6209 1179 Mobile: +61 419 496796 + CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + "Alan DeKok" <[EMAIL PROTECTED]> Sent by: To freeradius-users- FreeRadius users mailing list bounces+s.walsh=s <[EMAIL PROTECTED] ignadou.acu.edu.a org> [EMAIL PROTECTED] cc s.org Subject Re: AD ldap bind works with 1.01, 25/01/2006 04:16 fails with 1.04 AM Please respond to FreeRadius users mailing list Stephen Walsh <[EMAIL PROTECTED]> wrote: > ldap_search() failed: Operations error It's a combination of factors. What's happening is that your LDAP search isn't fully qualified, so when something isn't found in "students", AD returns a referral to "staff". OpenLDAP fails to use the authentication credentials for the referral that it was given for the original query. And lo, "operations error", which is such a useful message. It's a cross-domain referral problem. You have a "staff" domain, and a "student" domain, each of which trusts each other in AD. The solution is to fully qualify all of the queries so that AD doesn't return a referral. Usually adding "ou=people" (or something like that) will usually do the trick. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Stephen Walsh <[EMAIL PROTECTED]> wrote: > ldap_search() failed: Operations error It's a combination of factors. What's happening is that your LDAP search isn't fully qualified, so when something isn't found in "students", AD returns a referral to "staff". OpenLDAP fails to use the authentication credentials for the referral that it was given for the original query. And lo, "operations error", which is such a useful message. It's a cross-domain referral problem. You have a "staff" domain, and a "student" domain, each of which trusts each other in AD. The solution is to fully qualify all of the queries so that AD doesn't return a referral. Usually adding "ou=people" (or something like that) will usually do the trick. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD ldap bind works with 1.01, fails with 1.04
Hi Folks
We're implementing freeradius with EAP/TLS for our wireless and have found
a strange happening with 1.04. This will only happen when attempting to
query our student domain (w2k3 AD tree), but not our staff (w2k3 AD tree).
If I remove the section (below) for student, it will authenticate staff and
log them on happily.
At the moment, we have
acu.edu.au
|
/ \
staff student
I have a test box with FC3/FreeRadius 1.01 which will search through both
domains and authenticate the user. I copy the config over to the
FC4/FreeRadius 1.04 box and it works on staff, but returns the following on
student (the tree is laid out the same as staff);
ldap_search() failed: Operations error
Is this a bug (known or unknown) or have I just not allowed something like
referrals to work. I don't want to have to put openldap on the radius box
if I can help it, but if that's the only solution then we'll reassess 1.01
on FC3
Config is as below (some sanitisation done to protect the innocent networks
involved).
ldap student {
server = "192.148.xxx.xxx"
identity =
"cn=x,cn=users,dc=student,dc=acu,dc=edu,dc=au"
password = "x"
basedn = "dc=student,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
ldap staff {
server = "192.148.xxx.xxx"
identity =
"cn=xx,cn=users,dc=staff,dc=acu,dc=edu,dc=au"
password = "xx"
basedn = "dc=staff,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
authorize {
suffix
eap
staff
student
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
student
staff
}
eap
}
many thanks
Stephen Walsh
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
