Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Thank you for the suggestions / tips Frank.. Here is the results from the command you gave me: [EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b o=tfxschool,c=AU 'objectclass=*' # extended LDIF # # LDAPv3 # base o=tfxschool,c=AU with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 # numResponses: 1 Im about to install unix services for windows on my 2003 server and run my search command again to see if it populates the fields in ldap some more (reccomended from the gentoo wiki's HOWTO Authenticate from Active Directory using OpenLDAP). Also, it seems to me that freeradius is anonymously binding even though I have set these 2 lines under ldap { identity = cn=admin,o=tfxschool,c=AU password = pass here is the entry for admin which I retrieved using this command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' dn: CN=admin,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: admin title: tfxschool givenName: admin distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070426003712.0Z whenChanged: 20070426014259.0Z displayName: admin uSNCreated: 82400 uSNChanged: 82415 department: tfxschool company: tfxschool name: admin objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128220214326562500 primaryGroupID: 513 objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: admin sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal Thanks in adavance, I appreciate the info very much. On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote: Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
+ LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, Ive setup SFU and indeed it has populated my ldap feilds some more. I have enabled the user Jacob Jarick as a unix user, created a unix group added myself to it then reset my password so the unix password would be set. Search command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' Search Output: http://rapidshare.com/files/28137503/unixldap.txt.html The list of info from myself: dn: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jacob Jarick sn: Jarick givenName: Jacob distinguishedName: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070419064035.0Z whenChanged: 20070427035457.0Z displayName: Jacob Jarick uSNCreated: 73945 memberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=internal uSNChanged: 94233 name: Jacob Jarick objectGUID:: +aiQmQK4HUS1E97VMF95aw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 12822119697250 primaryGroupID: 513 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAg objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jacob sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal msNPAllowDialin: TRUE dSCorePropagationData: 20070419075901.0Z dSCorePropagationData: 20070419075640.0Z dSCorePropagationData: 16010101000417.0Z lastLogonTimestamp: 128218581059375000 msSFU30Name: jacob msSFU30NisDomain: tfxschool msSFU30PosixMemberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=interna l msSFU30UidNumber: 1 msSFU30Password: FxatPL90rt0As msSFU30GidNumber: 1 msSFU30HomeDirectory: /home/jacob msSFU30LoginShell: /bin/sh - See I now have a unix password feild, how do I make freeradius check against that password hash anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error
radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html