subject:"RE\: rlm_ldap\: ldap_search\(\) failed\: Bad search filter\:"

RE: rlm_ldap: ldap_search() failed: Bad search filter:

2005-12-07 Thread Alhagie Puye

Look like your syntax is wrong

Why don't you have parenthesis around "sAMAccountName
userAccountControl"? You are also missing an "=" between the two words.


Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817  

> >-Original Message-
> >From: [EMAIL PROTECTED] 
> >[mailto:[EMAIL PROTECTED] On 
> >Behalf Of Norbert Wegener
> >Sent: December 7, 2005 12:30 PM
> >To: FreeRadius users mailing list
> >Subject: rlm_ldap: ldap_search() failed: Bad search filter: 
> >
> >I am still trying to let freeradius query AD, but not yet 
> >too successfull.
> >
> >Using the following vars with ldapsearch, gives me the 
> >desired result, as shown below, but fails with rlm_ldap.
> >##
> >server="mchm967a.tww006.sitest.net "
> >port=3268
> >identity="[EMAIL PROTECTED] "
> >mypass="mypass"
> >basedn="dc=TDE002,dc=SITEST,dc=NET"
> >filter="(&(sAMAccountName=28TEF003$)(objectclass=computer))
> >sAMAccountName userAccountControl"
> >#
> >ldapsearch -x  -h $server -p $port -b $basedn $filter -D 
> >$identity -w $mypass -x
> >
> ># extended LDIF
> >#
> ># LDAPv3
> ># base  with scope sub # filter: 
> >(&(sAMAccountName=28TEF003$)(objectclass=computer))
> ># requesting: sAMAccountName userAccountControl #
> >
> ># 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net
> >dn: 
> >CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sit
> >est,DC=net
> >userAccountControl: 4096
> >sAMAccountName: 28TEF003$
> >
> ># search result
> >search: 2
> >result: 0 Success
> >
> ># numResponses: 2
> ># numEntries: 1
> >##
> >So far, so good.
> >When I take the same vars in  radiusd.conf, I get:
> >rlm_ldap: ldap_search() failed: Bad search filter
> >radiusd.conf:
> >
> >
> > ldap ldap1 {
> >server="mchm967a.tww006.sitest.net "
> >port=3268
> >identity="[EMAIL PROTECTED] "
> >mypass="mypass"
> >basedn="dc=TDE002,dc=SITEST,dc=NET"
> >filter="(&(sAMAccountName=28TEF003$)(objectclass=computer))
> >sAMAccountName userAccountControl"
> >ldap_debug= 0x
> >ldap_connections_number = 5
> >timeout = 40
> >timelimit = 30
> >net_timeout = 10
> >tls {
> >}
> >dictionary_mapping = ${raddbdir}/ldap.attrmap
> >}
> >
> >rlm_ldap: Bind was successful^M
> >rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, 
> >with filter
> >(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
> >sAMAccountName userAccountControl^M ldap_search^M
> >put_filter: "(&(sAMAccountName=28TEF003$)(objectclass=computer))
> >sAMAccountName userAccountControl"^M
> >put_filter: AND^M
> >put_filter_list "(sAMAccountName=28TEF003$)(objectclass=computer)"^M
> >put_filter: "(sAMAccountName=28TEF003$)"^M
> >put_filter: simple^M
> >put_simple_filter: "sAMAccountName=28TEF003$"^M
> >put_filter: "(objectclass=computer)"^M
> >put_filter: simple^M
> >put_simple_filter: "objectclass=computer"^M
> >put_filter: default^M
> >put_simple_filter: "sAMAccountName userAccountControl"^M
> >rlm_ldap: ldap_search() failed: Bad search filter: 
> >(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
> >sAMAccountName userAccountControl^M ldap_msgfree^M
> >rlm_ldap: search failed^M
> >
> >What am I doing wrong?
> >Thanks
> >Norbert Wegener
> >
> >
> >-
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


This message (including any attachments) is confidential, may be privileged and 
is only intended for the person to whom it is addressed.  If you have received 
it by mistake please notify the sender by return e-mail and delete this message 
from your system.  Any unauthorized use or dissemination of this message in 
whole or in part is strictly prohibited.  E-mail communications are inherently 
vulnerable to interception by unauthorized parties and are susceptible to 
change.  We will use alternate communication means upon request.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap: ldap_search() failed: Bad search filter:

2005-12-07 Thread Norbert Wegener


Alhagie Puye wrote:


Look like your syntax is wrong
 


The errormessage let's me assume, it is so, yes.
The paranthesis did not change anything.
I want to extract sAMAccountName userAccountControl from the AD and do 
not want to compare them.
As mentioned, it works with ldapsearch and I wonder where there are the 
differences to rlm_ldap.

Norbert


Why don't you have parenthesis around "sAMAccountName
userAccountControl"? You are also missing an "=" between the two words.


Alhagie Puye - Network Engineer
Datawave Group of Companies
(604)295-1817  

 


-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On 
Behalf Of Norbert Wegener

Sent: December 7, 2005 12:30 PM
To: FreeRadius users mailing list
Subject: rlm_ldap: ldap_search() failed: Bad search filter: 

I am still trying to let freeradius query AD, but not yet 
too successfull.


Using the following vars with ldapsearch, gives me the 
desired result, as shown below, but fails with rlm_ldap.

##
server="mchm967a.tww006.sitest.net "
port=3268
identity="[EMAIL PROTECTED] "
mypass="mypass"
basedn="dc=TDE002,dc=SITEST,dc=NET"
filter="(&(sAMAccountName=28TEF003$)(objectclass=computer))
sAMAccountName userAccountControl"
#
ldapsearch -x  -h $server -p $port -b $basedn $filter -D 
$identity -w $mypass -x


# extended LDIF
#
# LDAPv3
# base  with scope sub # filter: 
(&(sAMAccountName=28TEF003$)(objectclass=computer))

# requesting: sAMAccountName userAccountControl #

# 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net
dn: 
CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sit

est,DC=net
userAccountControl: 4096
sAMAccountName: 28TEF003$

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
##
So far, so good.
When I take the same vars in  radiusd.conf, I get:
rlm_ldap: ldap_search() failed: Bad search filter
radiusd.conf:


ldap ldap1 {
server="mchm967a.tww006.sitest.net "
port=3268
identity="[EMAIL PROTECTED] "
mypass="mypass"
basedn="dc=TDE002,dc=SITEST,dc=NET"
filter="(&(sAMAccountName=28TEF003$)(objectclass=computer))
sAMAccountName userAccountControl"
  ldap_debug= 0x
  ldap_connections_number = 5
  timeout = 40
  timelimit = 30
  net_timeout = 10
  tls {
  }
  dictionary_mapping = ${raddbdir}/ldap.attrmap
  }

rlm_ldap: Bind was successful^M
rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, 
with filter
(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
sAMAccountName userAccountControl^M ldap_search^M

put_filter: "(&(sAMAccountName=28TEF003$)(objectclass=computer))
sAMAccountName userAccountControl"^M
put_filter: AND^M
put_filter_list "(sAMAccountName=28TEF003$)(objectclass=computer)"^M
put_filter: "(sAMAccountName=28TEF003$)"^M
put_filter: simple^M
put_simple_filter: "sAMAccountName=28TEF003$"^M
put_filter: "(objectclass=computer)"^M
put_filter: simple^M
put_simple_filter: "objectclass=computer"^M
put_filter: default^M
put_simple_filter: "sAMAccountName userAccountControl"^M
rlm_ldap: ldap_search() failed: Bad search filter: 
(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
sAMAccountName userAccountControl^M ldap_msgfree^M

rlm_ldap: search failed^M

What am I doing wrong?
Thanks
Norbert Wegener


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


 




This message (including any attachments) is confidential, may be privileged and 
is only intended for the person to whom it is addressed.  If you have received 
it by mistake please notify the sender by return e-mail and delete this message 
from your system.  Any unauthorized use or dissemination of this message in 
whole or in part is strictly prohibited.  E-mail communications are inherently 
vulnerable to interception by unauthorized parties and are susceptible to 
change.  We will use alternate communication means upon request.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap: ldap_search() failed: Bad search filter:

2005-12-07 Thread Nicolas Baradakis

Norbert Wegener wrote:

> When I take the same vars in  radiusd.conf, I get:
> rlm_ldap: ldap_search() failed: Bad search filter
> radiusd.conf:
>
> ldap ldap1 {
> server="mchm967a.tww006.sitest.net "
> port=3268
> identity="[EMAIL PROTECTED] "
> mypass="mypass"
> basedn="dc=TDE002,dc=SITEST,dc=NET"
> filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
> sAMAccountName userAccountControl"

I don't think you can append a list of attributes to the
filter. (like in ldap_search)

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap: ldap_search() failed: Bad search filter:

2005-12-08 Thread Norbert Wegener


Nicolas Baradakis wrote:

Norbert Wegener wrote:

  

When I take the same vars in  radiusd.conf, I get:
rlm_ldap: ldap_search() failed: Bad search filter
radiusd.conf:

ldap ldap1 {
server="mchm967a.tww006.sitest.net "
port=3268
identity="[EMAIL PROTECTED] "
mypass="mypass"
basedn="dc=TDE002,dc=SITEST,dc=NET"
filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) 
sAMAccountName userAccountControl"



I don't think you can append a list of attributes to the
filter. (like in ldap_search)
  
Thank you, that has obviously been a difference between ldapsearch and 
rlm_ldap.

Now I get the information from AD also via radius.

Nevertheless, there is another point:
The server above is a global catalogue server. When asking the domain 
server directly, this again works with the following parameters using 
ldapsearch:

server="tde002.sitest.net"
   port=389
   identity="[EMAIL PROTECTED]"
   passwd="mypasswd"
   #basedn = "dc=SITEST,dc=NET"
   basedn="dc=tde002,dc=SITEST,dc=NET"
   
filter="(&(sAMAccountName=28tef003*)(objectclass=computer)) "


The same parameters within radiusd.conf gives me:
among other Bind was successful:
...

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to tde002.sitest.net:389, authentication 0
rlm_ldap: bind as [EMAIL PROTECTED]/ to tde002.sitest.net:389
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
...
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
..
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
ldap_read: message type bind msgid 1, original id 1
...
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ldap_msgfree
rlm_ldap: Bind was successful


So far, so good, but later I get:
.
read1msg:  V2 referral chased, mark request completed, id = 3^M
new result:  res_errno: 1, res_error: <: LdapErr: DSID-0C090627, 
comment: In order to perform this operation
a successful bind must be completed on the connection., data 0, vece>, 
res_matched: <>^M

read1msg:  0 new referrals^M
read1msg:  mark request completed, id = 3^M
merged parent (id 2) error info:  result errno 1, error <: 
LdapErr: DSID-0C090627, comment: In order to perfo
rm this operation a successful bind must be completed on the 
connection., data 0, vece>, matched <>^M

request 2 done^M
res_errno: 1, res_error: <: LdapErr: DSID-0C090627, comment: In 
order to perform this operation a successful

bind must be completed on the connection., data 0, vece>, res_matched: <>^M

The complete output is lengthy and therefore not part of this mail.
It can be found at
http://www.wegener-net.de/fr together with radiusd.conf.

Any hint would be appreciated.
Norbert Wegener




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap: ldap_search() failed: Bad search filter:

2005-12-08 Thread Alan DeKok

Norbert Wegener <[EMAIL PROTECTED]> wrote:
> So far, so good, but later I get:
> .
> read1msg:  V2 referral chased, mark request completed, id = 3^M
> new result:  res_errno: 1, res_error: <: LdapErr: DSID-0C090627, 

  Ah, yes.  There's a bug in bugzilla about using anonymous bind to
chase referrals for AD.  The patch there may help.

  Or, update your query so that the referral chasing doesn't happen
between AD domains.  i.e. qualify it more, like adding "ou=users", or
something.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap: ldap_search() failed: Bad search filter:

2005-12-08 Thread Norbert Wegener


Alan DeKok wrote:


Norbert Wegener <[EMAIL PROTECTED]> wrote:
 


So far, so good, but later I get:
.
read1msg:  V2 referral chased, mark request completed, id = 3^M
new result:  res_errno: 1, res_error: <: LdapErr: DSID-0C090627, 
   



 Ah, yes.  There's a bug in bugzilla about using anonymous bind to
chase referrals for AD.  The patch there may help.
 

Thank you, but unfortunately the patch mentioned there ( 
http://users.ntua.gr/tmp.tmp/rlm_ldap.patch )

does not apply to the actual sources anymore :-(.
Norbert Wegener


 Or, update your query so that the referral chasing doesn't happen
between AD domains.  i.e. qualify it more, like adding "ou=users", or
something.

 Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: rlm_ldap: ldap_search() failed: Bad search filter:

Re: rlm_ldap: ldap_search() failed: Bad search filter:

Re: rlm_ldap: ldap_search() failed: Bad search filter:

Re: rlm_ldap: ldap_search() failed: Bad search filter:

Re: rlm_ldap: ldap_search() failed: Bad search filter:

Re: rlm_ldap: ldap_search() failed: Bad search filter:

6 matches

Site Navigation

Mail list logo

Footer information