disable LDAP referrals not working

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Aug 12 10:33:07 CEST 2016


> On 12 Aug 2016, at 10:27, tirili at web.de wrote:
> 
>   I have /etc/openldap/ldap.conf
> 
>   TLS_CACERTDIR /etc/openldap/cacerts
>   SASL_NOCANON    on
>   URI  ldaps://dcdc0011.domain.local:636
>   ldaps://dcdc0021.domain.local:636
>   SCOPE one
>   BASE dc=domain,dc=local
>   REFERRALS off
> 
>   Freeradius ldap tells
> 
>   TLS: hostname (DomainDnsZones.domain.local) does not match common name
>   in certificate (dcdc0020.domain.local).
>   TLS: can't connect: TLS: hostname does not match CN in peer
>   certificate.
>   Unable to chase referral
>   "ldaps://DomainDnsZones.domain.local/DC=DomainDnsZones,DC=domain,DC=loc
>   al" (-1: Can't contact LDAP server)
>   TLS: hostname (ForestDnsZones.domain.local) does not match common name
>   in certificate (dcdc0020.domain.local).
>   TLS: can't connect: TLS: hostname does not match CN in peer
>   certificate.
>   Unable to chase referral
>   "ldaps://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=loc
>   al" (-1: Can't contact LDAP server)
>   TLS: hostname (domain.local) does not match common name in certificate
>   (dcdc0011.domain.local).
>   TLS: can't connect: TLS: hostname does not match CN in peer
>   certificate.
>   Unable to chase referral
>   "ldaps://domain.local/CN=Configuration,DC=domain,DC=local" (-1: Can't
>   contact LDAP server)
> 
>   Why is REFERRALS off not taken into account - or
>   how can these chase-referrals being disabled?

Because until very recently the config parser didn’t have a way of indicating that a configuration item wasn’t set, and so it always used FreeRADIUS defaults.

There’s a config option to disable referrals in raddb/mods-available/ldap you should use that to disable the referrals for now…
-Arran


More information about the Freeradius-Users mailing list