FreeRADIUS/eDirectory: rlm_ldap: object not found or got ambiguous search result

  • 3006244
  • 04-Jun-2006
  • 26-Apr-2012


Novell eDirectory
Novell SUSE Linux


Aliases exist in the tree, causing LDAP searches to return multiple results when searching for a user.  When debugging FreeRADIUS with the -X option, you will see in the output :

rlm_ldap: - authorize
rlm_ldap: performing user authorization for joe
radius_xlat: '(cn=joe)'
radius_xlat: 'o=novell'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=novell, with filter (cn=joe)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed

This causes all aliased objects to fail in authentication.


To force LDAP to not return aliases, alter the filter being used :
  1. Open the /etc/raddb/radiusd.conf file
  2. Locate the "ldap" section
  3. Locate the "filter" configuration element
  4. Insert "(&(objectClass=inetOrgPerson)" on the front of your filter, and add ")" to the end of it. For example: filter ="(&(objectClass=inetOrgPerson)(uid=%{Stripped-User-Name:-%{User-Name}}))"
  5. Restart the FreeRADIUS service (/etc/init.d/radiusd restart)

Additional Information

The FreeRADIUS should be tested at this point to verify that it is operational.  With failures, the FreeRADIUS package should be restarted in debug mode (see Technical Information Document10100993).