problem with freeradius and ldaps (Active Directory) (2)
Roberto S. G.
roberto.santos at unileon.es
Thu Jun 16 09:38:27 CEST 2005
Hi,
no, in normal mode, radiusd actually really crashes: the daemon gets
killed and I've to restart it again (no id with "ps aux"... and script
doesn't stop it 'cause it's not started...). That log line is the only
trace it gives before crash.
But when I run radiusd with "-X" option, it doesn't crash... (???) and
gives this lines (I've cut data):
rlm_ldap: - authorize
rlm_ldap: performing user authorization for XXXXXX
radius_xlat: '(cn=XXXXXX)'
radius_xlat: 'ou=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldaps://XXXXXXXXXXXXXXXXXX, authentication 0
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: setting TLS Cert File to ./certs/XXXXXXcacert.pem
rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXXXX/XXXXXX to
ldaps://XXXXXXXXXXXXXXXXXX
rlm_ldap: cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to
ldaps://XXXXXXXXXXXXXXXXXX failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 5
modcall: group authorize returns fail for request 5
Finished request 5
The same configuration of user, proxy ldap user (bind as...), and server
runs smoothly, the only differences are:
server = "ldaps://XXXXXXXXXXXXXXX" (I tried to use this instead of
port=636, but the result is the same)
tls_certfile = ./certs/XXXXXcacert.pem
tls_require_cert = "never"
I left the rest unchanged. (Maybe some of these "*time*" options in ldap
section are important?).
The test was made with "echo "User-Name = XXXXX" | radclient localhost
auth XXXXX".
If I make a "telnet XXXXXXXXXXXXXXX 636", the connection isn't refused,
so the port is open, as it's also 389.
I haven't an ldapclient in that machine, but I've sucessfully contacted
this LDAPS server from another machine with ldapbrowser or softerra clients.
I've checked config log written when I compiled radius, in order to see
if it found ldap and openssl sources correctly, and all options I've
seen for them are passed with "yes", and the "make" didn't complain...
Are my options for LDAPS against ActiveDirectory correct?
thank you very much for your time.
>Message: 5
>Date: Wed, 15 Jun 2005 12:54:42 -0400
>From: "Alan DeKok" <aland at ox.org>
>Subject: Re: problem with freeradius and ldaps (Active Directory)
>To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
>Message-ID: <20050615165442.6E00F16D00 at mail.nitros9.org>
>
>"Roberto S. G." <roberto.santos at unileon.es> wrote:
>
>>> But I'm not able to obtain any response. In fact, the freeradius
crashes
>>> with just a:
>>>
>>> rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1074, id=88,
>>> length=29
>>> Discarding duplicate request from client localhost:1074 - ID: 88
>
>
> It's not a crash. It's telling you that it's still processing the
>previous request.
>
>
>>> Has anyone sucessfully configured freeradius against an Active
Directory
>>> with LDAPS?
>
>
> Yes.
>
> Run the server in debugging mode to see where it hangs.
>
> Alan DeKok.
More information about the Freeradius-Users
mailing list