Advice on where to look next...

Mon, 18 Feb 2013 06:43:08 -0800 

I've configured my server to successfully authenticate against AD using my ldap 
module.

However, my users are in multiple OUs, and I can only specify one basedn at a 
time.  I know that's probably not good directory structure, but I don't manage 
our directory.  What approach to others use to search multiple basedns?

In case it would help, here is the relevant portions from my ldap module, which 
is curently working (I've remved most comments to make it concise:

ldap {
        server = xxx
        identity = "cn=ldapuser,ou=service accounts,dc=cphc,dc=local"
        password = xxx
        basedn = "dc=cphc,dc=local"  ***This doesn't work without a specific 
OU. My users are in multiple OUs****
        #basedn = "OU=CHA-Staff (No Folder Redir),DC=cphc,DC=local"
        filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"

        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1

        tls {
                start_tls = no
        }

        dictionary_mapping = ${confdir}/ldap.attrmap

        edir_account_policy_check = no

        groupname_attribute = cn
        groupmembership_filter = "(member=%{check:Ldap-UserDn})"
        groupmembership_attribute = member

        #compare_check_items = yes
        #do_xlat = yes
         access_attr_used_for_allow = yes
}

*One thing that confuses me is that ldapsearch works fine using 
basedn="dc=cphc,dc=local".


Any my error output:

[ldap] performing user authorization for jpjohnson
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
[ldap]  expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> 
(sAMAccountName=jpjohnson)
[ldap]  expand: dc=cphc,dc=local -> dc=cphc,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to tch-nt2.cphc.local:389, authentication 0
rlm_ldap: bind as cn=ldapuser,ou=service accounts,dc=cphc,dc=local/xxx to 
tch-nt2.cphc.local:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=cphc,dc=local, with filter 
(sAMAccountName=jpjohnson)
rlm_ldap: ldap_search() failed: Operations error
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail

-Jeff


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to