Environment
Novell eDirectory
Novell SUSE Linux
FreeRADIUS
Situation
Aliases exist in the tree, causing LDAP searches to return multiple
results when searching for a user. When debugging FreeRADIUS
with the -X option, you will see in the output :
rlm_ldap: - authorize
rlm_ldap: performing user authorization for joe
radius_xlat: '(cn=joe)'
radius_xlat: 'o=novell'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=novell, with filter (cn=joe)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: performing user authorization for joe
radius_xlat: '(cn=joe)'
radius_xlat: 'o=novell'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=novell, with filter (cn=joe)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
This causes all aliased objects to fail in authentication.
Resolution
To force LDAP to not return aliases, alter the filter being used
:
- Open the /etc/raddb/radiusd.conf file
- Locate the "ldap" section
- Locate the "filter" configuration element
- Insert "(&(objectClass=inetOrgPerson)" on the front of your filter, and add ")" to the end of it. For example: filter ="(&(objectClass=inetOrgPerson)(uid=%{Stripped-User-Name:-%{User-Name}}))"
- Restart the FreeRADIUS service (/etc/init.d/radiusd restart)
Additional Information
The FreeRADIUS should be tested at this point to verify that it is
operational. With failures, the FreeRADIUS package should be
restarted in debug mode (see Technical Information Document10100993).