1) Authentication against two different AD-forests (two different realms) using 4 domain controllers (2 per realm). I've tried getting freeradius to authenticate using the LDAP module but after a short while I gave up and instead configured PAM-support and the libpam-ldap module. Does anyone know of an AD+FreeRadius-specific mini-howto?
<snip>
I suggest finding out WHY AD doesn't work in your situation. Debug logs and configuration file pieces would help.
Here's an interesting problem. I got ldap authentication working but ONLY as long as I have ldap_debug = 0xFFFF. Configuration as follows:
ldap {
server = ad-dc.domain.com
ldap_debug = 0xFFFF
identity = "cn=ldapQuery,dc=domain,dc=com"
password = yep
basedn = "dc=domain,dc=com"
filter = "(sAMAccountName=%u)"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-UserDn}))"
timeout = 4
timelimit = 3
net_timeout = 1
}
And in users:
DEFAULT Auth-Type := LDAP
This config works but as soon as I remove ldap_debug = 0xFFFF or change the value to, as an example, 0x0028 things go mad with the following debug (-X) information:
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect ad-dc.domain.com:389, authentication 0
rlm_ldap: bind as cn=ldapQuery,dc=domain,dc=com/yep to ad-dc.domain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=domain,dc=com, with filter (sAMAccountName=user)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
Now, this seemed a bit odd so I tried the same config using another AD forest and it of course works no matter what ldap_debug setting I had. The difference is that the one it worked with is a Win2k AD and the one it doesn't work with is a win2003 AD. The log on the 2003 domain controller shows a successful ldap bind but nothing more. Has anyone seen this before?
Magnus
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
