Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Thank you for the suggestions / tips Frank.. Here is the results from the command you gave me: [EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b o=tfxschool,c=AU 'objectclass=*' # extended LDIF # # LDAPv3 # base o=tfxschool,c=AU with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 # numResponses: 1 Im about to install unix services for windows on my 2003 server and run my search command again to see if it populates the fields in ldap some more (reccomended from the gentoo wiki's HOWTO Authenticate from Active Directory using OpenLDAP). Also, it seems to me that freeradius is anonymously binding even though I have set these 2 lines under ldap { identity = cn=admin,o=tfxschool,c=AU password = pass here is the entry for admin which I retrieved using this command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' dn: CN=admin,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: admin title: tfxschool givenName: admin distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070426003712.0Z whenChanged: 20070426014259.0Z displayName: admin uSNCreated: 82400 uSNChanged: 82415 department: tfxschool company: tfxschool name: admin objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128220214326562500 primaryGroupID: 513 objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: admin sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal Thanks in adavance, I appreciate the info very much. On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote: Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, some more progress, found 1 setting that rejected any user if they did not have dialup access attribute which I have commented. Now I get the following results when using the radping program. It looks to me like it searchs fine rlm_ldap: user jacob authorized to use remote access but Im guessing because there is no password feild it returns 0 and moves on. I am about to install Unix Services for Windows and inspect the new feilds (if any). If any1 knows what is involved in populating the ADS 2003 LDAP feilds with user password/ hashes please let me know. rad_recv: Access-Request packet from host 10.1.1.11:3470, id=8, length=45 User-Name = jacob User-Password = \330\3338\220\201\273J\246fU\270\354xC{\212 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(sAMAccountName=jacob)' radius_xlat: 'dc=tfxschool,dc=internal' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:3268, authentication 0 rlm_ldap: bind as / to tfxschoolfs01.tfxschool.internal:3268 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=tfxschool,dc=internal, with filter (sAMAccountName=jacob) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jacob authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jacob, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 On 4/27/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thank you for the suggestions / tips Frank.. Here is the results from the command you gave me: [EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b o=tfxschool,c=AU 'objectclass=*' # extended LDIF # # LDAPv3 # base o=tfxschool,c=AU with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 # numResponses: 1 Im about to install unix services for windows on my 2003 server and run my search command again to see if it populates the fields in ldap some more (reccomended from the gentoo wiki's HOWTO Authenticate from Active Directory using OpenLDAP). Also, it seems to me that freeradius is anonymously binding even though I have set these 2 lines under ldap { identity = cn=admin,o=tfxschool,c=AU password = pass here is the entry for admin which I retrieved using this command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' dn: CN=admin,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: admin title: tfxschool givenName: admin distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070426003712.0Z whenChanged: 20070426014259.0Z displayName: admin uSNCreated: 82400 uSNChanged: 82415 department: tfxschool company: tfxschool name: admin objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128220214326562500 primaryGroupID: 513 objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: admin sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal Thanks in adavance, I appreciate the info very much. On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote: Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, Ive setup SFU and indeed it has populated my ldap feilds some more. I have enabled the user Jacob Jarick as a unix user, created a unix group added myself to it then reset my password so the unix password would be set. Search command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' Search Output: http://rapidshare.com/files/28137503/unixldap.txt.html The list of info from myself: dn: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jacob Jarick sn: Jarick givenName: Jacob distinguishedName: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070419064035.0Z whenChanged: 20070427035457.0Z displayName: Jacob Jarick uSNCreated: 73945 memberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=internal uSNChanged: 94233 name: Jacob Jarick objectGUID:: +aiQmQK4HUS1E97VMF95aw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 12822119697250 primaryGroupID: 513 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAg objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jacob sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal msNPAllowDialin: TRUE dSCorePropagationData: 20070419075901.0Z dSCorePropagationData: 20070419075640.0Z dSCorePropagationData: 16010101000417.0Z lastLogonTimestamp: 128218581059375000 msSFU30Name: jacob msSFU30NisDomain: tfxschool msSFU30PosixMemberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=interna l msSFU30UidNumber: 1 msSFU30Password: FxatPL90rt0As msSFU30GidNumber: 1 msSFU30HomeDirectory: /home/jacob msSFU30LoginShell: /bin/sh - See I now have a unix password feild, how do I make freeradius check against that password hash anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html