rlm_ldap problems connecting to LDAP server

George C. Kaplan gckaplan at ack.berkeley.edu
Sat Jan 21 02:59:31 CET 2006 

We have an 802.11 service that uses a captive portal (Vernier) system
authenticating via RADIUS to kerberos.  Currently there's no
authorization, except implicitly (i.e. presence of an entry in our
kerberos database).  We want to start doing authorization using the
campus LDAP directory.

I'm trying to set this up with rlm_ldap on freeradius 1.0.5, but I'm
having trouble getting it to work.  The LDAP server doesn't have any of
the RADIUS attributes in its schema, so I'll have to come up with a
custom mapping, but that's not the problem (yet).  Rather, I can't get
rlm_ldap to make an encrypted connection to the LDAP server.

Here's the start of the ldap section in the modules {} part of radiusd.conf:

        ldap airbears-ldap {
                server = "ldaps://our.ldap.server"
                identity =
                password =
                basedn = "ou=people,dc=berkeley, dc=edu"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                ldap_debug = -1

                tls_cacertfile  = ${confdir}/certs/ourcertfile.crt
                tls_require_cert        = "never"

                ...
        }

Everything else in the ldap section is still the default.  (That'll have
to change, but I want to get the connection working first).  The above
should set up an anonymous bind over an encrypted connection, but it
fails with "TLS: can't connect".  (See attached debug snippet).
However, if I change the 'ldaps:' to 'ldap:', the ldap query works.

I've tried various combinations of 'port' (in the ldap section),
'start_tls' and 'tls_mode' but any combination that specifies a TLS
connection fails.

I don't think there's a problem with our openldap or openssl libraries,
because I can do the same query (from the same system) with 'ldapsearch'
without any problems.

The RADIUS server is running FreeBSD 5.4-STABLE, using openssl 0.9.8a,
and openldap 2.2.29, both built from ports.  (The freeradius is also
built from ports).

Any ideas on what the problem might be, or where I might look next?

Thanks,

-- 
George C. Kaplan                            gckaplan at ack.berkeley.edu
Communication & Network Services            510-643-0496
University of California at Berkeley
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius-ldap.sample
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060120/aa3370d7/attachment.ksh>

More information about the Freeradius-Users mailing list