nginx-auth-ldap icon indicating copy to clipboard operation
nginx-auth-ldap copied to clipboard

Published 20 hours ago verified publisher icon kvspb

ldap_search_ext() request failed (1: Operations error) fails against Windows Server 2012 AD

Open DipSwitch opened this issue 10 years ago • 2 comments

I must say I'm not that familiar with LDAP and such.

But there seem to be problem with trying to authenticate against an Windows Server 2012 AD. As you can see in the log the ldap_search_ext fails with: ldap_search_ext() request failed (1: Operations error)

How can I debug this problem? Or how can I resolve it? Maybe it's a good idea to include some example log outputs of what valid log's should look like, this so you can see what step it failed on without the need to read all the code.

http {
    ldap_server domain_ldap {
        ...
        #url ldap://172.31.1.224:3268/dc=espirit,dc=espirit?sAMAccountName?sub?(objectClass=person);
        url ldap://172.31.1.224:389/dc=espirit,dc=espirit?sAMAccountName?sub?(objectClass=person);
        connections 10;
        #binddn 'ESPIRIT\Administrator'
        binddn 'ESPIRIT\\Administrator'
        binddn_passwd '*******'
        group_attribute uniquemember;
        group_attribute_is_dn on;
        #require group 'cn=Werknemers,cn=Users,dn=espirit,dn=espirit';
        require valid_user;
        satisfy all;
        ...
    }

    server {
        ...
        auth_ldap "Employees Only";
        auth_ldap_servers domain_ldap;
        ...
    }
}

When I try to authenticate I get the following log output:

2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Username is "nijzendoorn"
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Authentication loop (phase=0, iteration=0)
2015/01/14 17:05:07 [debug] 10652#0: *41 event timer add: 26: 10000:1421251517669
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Authentication loop (phase=1, iteration=0)
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Wants a free connection to "domain_ldap"
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Search filter is "(&(objectClass=person)(sAMAccountName=nijzendoorn))"
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: ldap_search_ext() -> msgid=2
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Waking authentication request "GET / HTTP/1.1"
2015/01/14 17:05:07 [debug] 10652#0: *41 access phase: 8
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Authentication loop (phase=1, iteration=1)
2015/01/14 17:05:07 [error] 10652#0: *41 http_auth_ldap: ldap_search_ext() request failed (1: Operations error), client: 172.31.1.29, server: backup.espirit, request: "GET / HTTP/1.1", host: "backup.espirit"
2015/01/14 17:05:07 [debug] 10652#0: *41 http_auth_ldap: Authentication loop (phase=6, iteration=1)

But when I use ldapsearch to list the entry with the filter:

@esserver:~ # ldapsearch -LLL -H ldap://172.31.1.224:389 -b 'dc=espirit,dc=espirit' -D 'ESPIRIT\Administrator' -w '******' '(&(objectClass=person)(sAMAccountName=nijzendoorn))'
dn: CN=Nick van IJzendoorn,CN=Users,DC=espirit,DC=espirit
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Nick van IJzendoorn
sn: van IJzendoorn
givenName: Nick
distinguishedName: CN=Nick van IJzendoorn,CN=Users,DC=espirit,DC=espirit
instanceType: 4
whenCreated: 20150108133948.0Z
whenChanged: 20150109122413.0Z
displayName: Nick van IJzendoorn
uSNCreated: 12794
uSNChanged: 13203
name: Nick van IJzendoorn
objectGUID:: **********
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 130656897139951988
pwdLastSet: 130651979888098064
primaryGroupID: 1105
objectSid:: ***********
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 19
sAMAccountName: nijzendoorn
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=espirit,DC=espirit
dSCorePropagationData: 20150108135125.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130652798532999864

# refldap://espirit.espirit/CN=Configuration,DC=espirit,DC=espirit

DipSwitch avatar Jan 14 '15 16:01 DipSwitch

I have the analogical problem! Windows Server 2012 AD, Ubuntu 12.04, Nginx 1.6.2 with nginx-auth-ldap. The part of the error: 2015/04/07 19:24:12 [error] 2784#0: *3 http_auth_ldap: ldap_search_ext() request failed (1: Operations error), ....

But ldapsearch also work, I see list the entry with the filter.

alrf avatar Apr 07 '15 15:04 alrf

You're missing a few semi-colons. I was able to recreate this issue with a missing semicolon in my ldap_server config block.

This model fails in all sorts of random, spectacular ways if you're missing semicolons at the end of each line of your config.

drakkhen avatar Jun 13 '17 19:06 drakkhen