LDAP + SASL Freeradius 3.0.11
mbeckler at overturecenter.org
Tue May 17 21:34:58 CEST 2016
From: Isaac Boukris [mailto:iboukris at gmail.com]
Sent: Sunday, May 15, 2016 12:12 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: LDAP + SASL Freeradius 3.0.11
>The client keytab is used to init credentials automatically into the ccache instead of having to run 'kinit' manually.
>If you have already initialized krb credentials then it should work even without a keytab and its environment variable.
>I suspect something is the matter with the linked ldap/sasl libraries so I'd suggest to try and compare 'ldd' output on both ldapsearch and radiusd binaries.
>If you have selinux / apparmor try to disable them as they might prevent access to the ccache file (klist will show the ccache in use, it should be accessible to radiusd).
>Here is how the output looks like on my system with identity commented out (3.1.x git head):
>rlm_ldap (ldap) - Connecting to ldap://ms.frenche.cp:389 rlm_ldap (ldap) - Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started SASL username: anna at FRENCHE.CP SASL SSF: 56 SASL data security layer installed.
>rlm_ldap (ldap) - Bind successful
So I built from GIT so now I'm on 3.1.x However still got error. This time I ran with -Xx and got a bit more output :
I tried removing apparmor and still nothing.
But I finally got it to bind!
It must be some permissions issues.
So in recap:
Sudo Kinit ldaplookup
Sudo freeradius -X
I receive error.
If I do this I get a successful bind!
sudo -H -u freerad kinit ldaplookup
sudo -H -u freerad freeradius -X
That narrows things down to the fact that it something with permissions. Although at this point I'm not sure yet where the permission issue lies.
More information about the Freeradius-Users