Re: rlm_ldap filter problem

Wed, 21 Dec 2005 13:23:29 -0800
See the message thread "question on ldap_escape_func in rlm_ldap.c (author: Kostas Kalevras)" on Dec 7 for more dicussion . 

On Wed, 21 Dec 2005, Brian A. Seklecki wrote:




Try to escape the "/" with "\".  I doubt it...but...you've got some 
non-standard characters in there.


~BAS

On Mon, 5 Dec 2005, Norbert Wegener wrote:


When I set my vars to the values below, ldapsearch succeeds:
server="TDE002.mydomain.NET"^M
identity="[EMAIL PROTECTED]"^M
password="!QAY2wsx3edc4"^M
basedn="dc=TDE002,dc=mydomain,dc=NET"^M

filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID "^M

^M

#ldapsearch -LLL  -b "DC=TDE002,dc=mydomain,dc=NET" -s sub $FILTER -x 
$LOGON ^M
ldapsearch -LLL -h $server  -b "$basedn" -s sub $filter -x -D $identity -w 
$password ^M

lnxad:/usr/local/etc/raddb # sh x^M

dn: 
CN=26TEF001,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=mydomain,DC=net^M

primaryGroupID: 515^M
servicePrincipalName: HOST/26TEF001^M
servicePrincipalName: HOST/26tef001.tde002.mydomain.net^M
^M

# 
refldap://DomainDnsZones.tde002.mydomain.net/DC=DomainDnsZones,DC=tde002,DC=s^M

itest,DC=net^M


Having the same variables with the same values set on the same machine in 
radiusd.conf:


      ldap ldap1 {
              server = "tde002.mydomain.net"
              identity = "[EMAIL PROTECTED]"
              password = "!QAY2wsx3edc4"
              basedn = "dc=TDE002,dc=SITEST,dc=NET"



filter="(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 

servicePrincipalName primaryGroupID"
              ldap_debug=0xFFFF

              base_filter = "(objectclass=computer)"
              ldap_connections_number = 5
              timeout = 40
              timelimit = 30
              net_timeout = 10
              tls {
                      start_tls = no
              }
              dictionary_mapping = ${raddbdir}/ldap.attrmap
      }

radiusd fails to get the values from the ldap server, claiming "Bad search 
filter":

.....

rlm_ldap: performing user authorization for 
host/26tef001.tde002.mydomain.net
radius_xlat: 
'(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID'

radius_xlat:  'dc=TDE002,dc=MYDOMAIN,dc=NET'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in dc=TDE002,dc=MYDOMAIN,dc=NET, with filter 
(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID

ldap_search

put_filter: 
"(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID"

put_filter: AND

put_filter_list 
"(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))"

put_filter: "(servicePrincipalName=host/26tef001.tde002.mydomain.net)"
put_filter: simple
put_simple_filter: "servicePrincipalName=host/26tef001.tde002.mydomain.net"
put_filter: "(objectclass=computer)"
put_filter: simple
put_simple_filter: "objectclass=computer"
put_filter: "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
put_filter: NOT
put_filter_list "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: "(userAccountControl:1.2.840.113556.1.4.803:=2)"
put_filter: simple
put_simple_filter: "userAccountControl:1.2.840.113556.1.4.803:=2"
put_filter: default
put_simple_filter: "servicePrincipalName primaryGroupID"

rlm_ldap: ldap_search() failed: Bad search filter: 
(&(servicePrincipalName=host/26tef001.tde002.mydomain.net)(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) 
servicePrincipalName primaryGroupID

ldap_msgfree
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap1" returns fail for request 2
modcall: leaving group authorize (returns fail) for request 2
There was no response configured: rejecting request 2
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 206 with timestamp 43942d52
Sending Access-Reject of id 207 to 222.25.36.124 port 1645

What did I forget to obey?
Thanks
Norbert Wegener







- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




l8*
        -lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8



l8*
        -lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to