Revisited: Auth via LDAP to Microsoft AD (long)

[Kellogg, Chris]

Hi, everyone.

Forgive me, this is a bit of a rehash of an old subject.  I am unable to
get authentication via LDAP to work correctly when I set the 'basedn' to
the top-level of our AD structure:

basedn = "dc=subdomain,dc=domain,dc=com"

--- radius -sx output ---
rad_recv: Access-Request packet from host nas-test.domain.com:2180,
id=51, length=72
        User-Name = "username"
        User-Password = "userpw"
        Vendor-3076-Attr-32 = 0x00000009
        NAS-IP-Address = 127.0.0.1
        NAS-Port-Type = Virtual
rlm_ldap: - authenticate
rlm_ldap: login attempt by "username" with password "userpw"
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to msad-gc.subdomain.domain.com:389,
authentication 0
rlm_ldap: bind as identity/password to msad-gc.subdomain.domain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: ldap_release_conn: Release Id: 0
Sending Access-Reject of id 51 to nas-test.domain.com:2180
--- /radius -sx output ---


Inside that sub, there is a series of OUs and DNs.  If I set basedn to
point into one of those:

basedn = "ou=users,dc=subdomain,dc=domain,dc=com"

I am able to get authentication for any user account inside the 'users'
OU or inside any OU that is underneath the 'users' OU:
--- radius -sx output ---
rad_recv: Access-Request packet from host nas-test.domain.com:2180,
id=53, length=72
        User-Name = "username"
        User-Password = "userpw"
        Vendor-3076-Attr-32 = 0x00000009
        NAS-IP-Address = 127.0.0.1
        NAS-Port-Type = Virtual
rlm_ldap: - authenticate
rlm_ldap: login attempt by "username" with password "userpw"
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to msad-gc.subdomain.domain.com:389,
authentication 0
rlm_ldap: bind as identity/password to msad-gc.subdomain.domain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: CN=Name\,
User,OU=Testing,OU=users,DC=subdomain,DC=domain,DC=com
rlm_ldap: (re)connect to msad-gc.subdomain.domain.com:389,
authentication 1
rlm_ldap: bind as CN=Name\,
User,OU=Testing,OU=users,DC=subdomain,DC=domain,DC=com/userpw to
msad-gc.subdomain.domain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user username authenticated succesfully
Sending Access-Accept of id 53 to nas-test.domain.com:2180
--- /radius -sx output ---

Anyone have any ideas on this?  I'm not even sure where to start looking
on this...

Thanks,

Chris.

Christopher M. Kellogg, GCFW
Principle Network Administrator, DynCorp, A CSC Company
6500 West Freeway Suite 600, Fort Worth, TX
(817)570-1956 Ofc / (817)737-1638 Fax

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html