Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Thank you for the suggestions / tips Frank..
Here is the results from the command you gave me:
[EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D
CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b
o=tfxschool,c=AU 'objectclass=*'
# extended LDIF
#
# LDAPv3
# base o=tfxschool,c=AU with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0
# numResponses: 1
Im about to install unix services for windows on my 2003 server and
run my search command again to see if it populates the fields in ldap
some more (reccomended from the gentoo wiki's HOWTO Authenticate
from Active Directory using OpenLDAP).
Also, it seems to me that freeradius is anonymously binding even
though I have set these 2 lines under ldap {
identity = cn=admin,o=tfxschool,c=AU
password = pass
here is the entry for admin which I retrieved using this command:
ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s
sub 'objectclass=*'
dn: CN=admin,OU=People,DC=tfxschool,DC=internal
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: admin
title: tfxschool
givenName: admin
distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal
instanceType: 4
whenCreated: 20070426003712.0Z
whenChanged: 20070426014259.0Z
displayName: admin
uSNCreated: 82400
uSNChanged: 82415
department: tfxschool
company: tfxschool
name: admin
objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 128220214326562500
primaryGroupID: 513
objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: admin
sAMAccountType: 805306368
userPrincipalName: [EMAIL PROTECTED]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal
Thanks in adavance, I appreciate the info very much.
On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote:
Are you sure that the uid attribute is even in Active Directory. Chances
are the usernames
are in the sAMAccountName attribute. Since you now seem to be able to
bind, why not use the
ldapsearch utility to show entries in the o=tfxschool,c=AU subtree.
ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b
o=tfxschool,c=AU 'objectclass=*'
This will show you what attributes there are, and whether the password
is readable.
Regards,
Frank Ranner
-Original Message-
From:
[EMAIL PROTECTED]
eradius.org [mailto:freeradius-users-
[EMAIL PROTECTED] On
Behalf Of Jacob Jarick
Sent: Thursday, 26 April 2007 12:38
To: FreeRadius users mailing list
Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed:
Operations error
radiusd.conf:
radiusd -X -f: http://pastebin.ca/458790
Hello again,
I have configured the ldap module according to the rlm_ldap
wiki (minus TLS, just trying one thing at a time).I have supplied:
identity = cn=admin,o=tfxschool,c=AU
password = pass
As I have been told anonymous binding is not the way to go
for confirming username/password.
From reading the error log it seems to me that freeradius does
succesfully connect to the ADS server via ldap but fails to
find the user.
output in question:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jacob
radius_xlat: '(uid=jacob)'
radius_xlat: 'o=tfxschool,c=AU'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to
tfxschoolfs01.tfxschool.internal:389, authentication 0
rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389
rlm_ldap: waiting for bind result ...
request done: ld 0x8697ed0 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=tfxschool,c=AU, with filter
(uid=jacob) request done: ld 0x8697ed0 msgid 2
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns fail for request 0
modcall: leaving group authorize (returns fail) for request 0
Finished request 0 .
The user Jacob auth's fine via the ntlm_auth module but fails
with my current ldap setup.
Does the user admin need special priveleges on the Windows
2003 ADS to search / retrieve user information (eg password,
group etc).
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
+ LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, Ive setup SFU and indeed it has populated my ldap feilds some more. I have enabled the user Jacob Jarick as a unix user, created a unix group added myself to it then reset my password so the unix password would be set. Search command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' Search Output: http://rapidshare.com/files/28137503/unixldap.txt.html The list of info from myself: dn: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jacob Jarick sn: Jarick givenName: Jacob distinguishedName: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070419064035.0Z whenChanged: 20070427035457.0Z displayName: Jacob Jarick uSNCreated: 73945 memberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=internal uSNChanged: 94233 name: Jacob Jarick objectGUID:: +aiQmQK4HUS1E97VMF95aw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 12822119697250 primaryGroupID: 513 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAg objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jacob sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal msNPAllowDialin: TRUE dSCorePropagationData: 20070419075901.0Z dSCorePropagationData: 20070419075640.0Z dSCorePropagationData: 16010101000417.0Z lastLogonTimestamp: 128218581059375000 msSFU30Name: jacob msSFU30NisDomain: tfxschool msSFU30PosixMemberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=interna l msSFU30UidNumber: 1 msSFU30Password: FxatPL90rt0As msSFU30GidNumber: 1 msSFU30HomeDirectory: /home/jacob msSFU30LoginShell: /bin/sh - See I now have a unix password feild, how do I make freeradius check against that password hash anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error
radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
