Numerous posts about Active Directory OU searching and FreeRadius can be found easily via Google, but none seem to have the definitive answer/workaround for the "Windows 2003 rebind failure when searching the root of the active directory" On the latest freeradius-2.0.3 compiled from source, I get the the rlm_ldap errors below whenever I use the basedn = "dc=my,dc=domainname,dc=com" rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed I am binding to LDAP with a username/password (not anonymous) All seem to point back to bug 183, which has been open for a long time: http://bugs.freeradius.org/show_bug.cgi?id=183 Is this bug still considered valid? What further needs to be done to get the patch or a similar fix integrated into the main code tree, especially the 2.0 release? I see the patch there, and have applied it to my old freeradius-1.0.1 installation, but stability issues prompted me to investigate an upgrade, and I am not entirely sure that the patch didn't *cause* my stability problems to begin with (the comment by Alan DeKok in the bugzilla entry sounds a little ominous). FWIW, my specific stability problem is the following: Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use Wed Apr 2 17:40:31 2008 : Error: rlm_ldap: All ldap connections are in use And the server rejects all requests until it is restarted. The server is not under a high load. The errors only occur after the server has been running for a few weeks. I could increase ldap_connections_number, but I suspect that will only band-aid the problem so it runs for a few more weeks before failing. My LDAP configuration block is below: ldap { server = "xxx" identity = "[EMAIL PROTECTED]" password = zzz basedn = "dc=my,dc=domain,dc=com" filter = "(SamAccountName=%U)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-UserDn}))" } I would be happy to produce more configuration files upon request, if it would help. Thoughts are appreciated
Scott Sr. Network Engineer Great River Energy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html