Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Thank you for the suggestions / tips Frank..
Here is the results from the command you gave me:
[EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D
CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b
o=tfxschool,c=AU 'objectclass=*'
# extended LDIF
#
# LDAPv3
# base o=tfxschool,c=AU with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0
# numResponses: 1
Im about to install unix services for windows on my 2003 server and
run my search command again to see if it populates the fields in ldap
some more (reccomended from the gentoo wiki's HOWTO Authenticate
from Active Directory using OpenLDAP).
Also, it seems to me that freeradius is anonymously binding even
though I have set these 2 lines under ldap {
identity = cn=admin,o=tfxschool,c=AU
password = pass
here is the entry for admin which I retrieved using this command:
ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s
sub 'objectclass=*'
dn: CN=admin,OU=People,DC=tfxschool,DC=internal
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: admin
title: tfxschool
givenName: admin
distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal
instanceType: 4
whenCreated: 20070426003712.0Z
whenChanged: 20070426014259.0Z
displayName: admin
uSNCreated: 82400
uSNChanged: 82415
department: tfxschool
company: tfxschool
name: admin
objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 128220214326562500
primaryGroupID: 513
objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: admin
sAMAccountType: 805306368
userPrincipalName: [EMAIL PROTECTED]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal
Thanks in adavance, I appreciate the info very much.
On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote:
Are you sure that the uid attribute is even in Active Directory. Chances
are the usernames
are in the sAMAccountName attribute. Since you now seem to be able to
bind, why not use the
ldapsearch utility to show entries in the o=tfxschool,c=AU subtree.
ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b
o=tfxschool,c=AU 'objectclass=*'
This will show you what attributes there are, and whether the password
is readable.
Regards,
Frank Ranner
-Original Message-
From:
[EMAIL PROTECTED]
eradius.org [mailto:freeradius-users-
[EMAIL PROTECTED] On
Behalf Of Jacob Jarick
Sent: Thursday, 26 April 2007 12:38
To: FreeRadius users mailing list
Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed:
Operations error
radiusd.conf:
radiusd -X -f: http://pastebin.ca/458790
Hello again,
I have configured the ldap module according to the rlm_ldap
wiki (minus TLS, just trying one thing at a time).I have supplied:
identity = cn=admin,o=tfxschool,c=AU
password = pass
As I have been told anonymous binding is not the way to go
for confirming username/password.
From reading the error log it seems to me that freeradius does
succesfully connect to the ADS server via ldap but fails to
find the user.
output in question:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jacob
radius_xlat: '(uid=jacob)'
radius_xlat: 'o=tfxschool,c=AU'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to
tfxschoolfs01.tfxschool.internal:389, authentication 0
rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389
rlm_ldap: waiting for bind result ...
request done: ld 0x8697ed0 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=tfxschool,c=AU, with filter
(uid=jacob) request done: ld 0x8697ed0 msgid 2
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns fail for request 0
modcall: leaving group authorize (returns fail) for request 0
Finished request 0 .
The user Jacob auth's fine via the ntlm_auth module but fails
with my current ldap setup.
Does the user admin need special priveleges on the Windows
2003 ADS to search / retrieve user information (eg password,
group etc).
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, some more progress, found 1 setting that rejected any user if they
did not have dialup access attribute which I have commented. Now I get
the following results when using the radping program.
It looks to me like it searchs fine rlm_ldap: user jacob authorized
to use remote access but Im guessing because there is no password
feild it returns 0 and moves on. I am about to install Unix Services
for Windows and inspect the new feilds (if any).
If any1 knows what is involved in populating the ADS 2003 LDAP feilds
with user password/ hashes please let me know.
rad_recv: Access-Request packet from host 10.1.1.11:3470, id=8, length=45
User-Name = jacob
User-Password = \330\3338\220\201\273J\246fU\270\354xC{\212
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jacob
radius_xlat: '(sAMAccountName=jacob)'
radius_xlat: 'dc=tfxschool,dc=internal'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:3268, authentication 0
rlm_ldap: bind as / to tfxschoolfs01.tfxschool.internal:3268
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=tfxschool,dc=internal, with filter
(sAMAccountName=jacob)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jacob authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = jacob, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
On 4/27/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thank you for the suggestions / tips Frank..
Here is the results from the command you gave me:
[EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D
CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b
o=tfxschool,c=AU 'objectclass=*'
# extended LDIF
#
# LDAPv3
# base o=tfxschool,c=AU with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0
# numResponses: 1
Im about to install unix services for windows on my 2003 server and
run my search command again to see if it populates the fields in ldap
some more (reccomended from the gentoo wiki's HOWTO Authenticate
from Active Directory using OpenLDAP).
Also, it seems to me that freeradius is anonymously binding even
though I have set these 2 lines under ldap {
identity = cn=admin,o=tfxschool,c=AU
password = pass
here is the entry for admin which I retrieved using this command:
ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s
sub 'objectclass=*'
dn: CN=admin,OU=People,DC=tfxschool,DC=internal
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: admin
title: tfxschool
givenName: admin
distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal
instanceType: 4
whenCreated: 20070426003712.0Z
whenChanged: 20070426014259.0Z
displayName: admin
uSNCreated: 82400
uSNChanged: 82415
department: tfxschool
company: tfxschool
name: admin
objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 128220214326562500
primaryGroupID: 513
objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: admin
sAMAccountType: 805306368
userPrincipalName: [EMAIL PROTECTED]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal
Thanks in adavance, I appreciate the info very much.
On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote:
Are you sure that the uid attribute is even in Active Directory. Chances
are the usernames
are in the sAMAccountName attribute. Since you now seem to be able to
bind, why not use the
ldapsearch utility to show entries in the o=tfxschool,c=AU subtree.
ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b
o=tfxschool,c=AU 'objectclass=*'
This will show you what attributes there are, and whether the password
is readable.
Regards,
Frank Ranner
-Original Message-
From:
[EMAIL PROTECTED]
eradius.org [mailto:freeradius-users-
[EMAIL PROTECTED] On
Behalf Of Jacob Jarick
Sent: Thursday, 26 April 2007 12:38
To: FreeRadius users mailing list
Subject: FR
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, Ive setup SFU and indeed it has populated my ldap feilds some more. I have enabled the user Jacob Jarick as a unix user, created a unix group added myself to it then reset my password so the unix password would be set. Search command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' Search Output: http://rapidshare.com/files/28137503/unixldap.txt.html The list of info from myself: dn: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jacob Jarick sn: Jarick givenName: Jacob distinguishedName: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070419064035.0Z whenChanged: 20070427035457.0Z displayName: Jacob Jarick uSNCreated: 73945 memberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=internal uSNChanged: 94233 name: Jacob Jarick objectGUID:: +aiQmQK4HUS1E97VMF95aw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 12822119697250 primaryGroupID: 513 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAg objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jacob sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal msNPAllowDialin: TRUE dSCorePropagationData: 20070419075901.0Z dSCorePropagationData: 20070419075640.0Z dSCorePropagationData: 16010101000417.0Z lastLogonTimestamp: 128218581059375000 msSFU30Name: jacob msSFU30NisDomain: tfxschool msSFU30PosixMemberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=interna l msSFU30UidNumber: 1 msSFU30Password: FxatPL90rt0As msSFU30GidNumber: 1 msSFU30HomeDirectory: /home/jacob msSFU30LoginShell: /bin/sh - See I now have a unix password feild, how do I make freeradius check against that password hash anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
