<div dir="ltr"><div><div><div>Hi.<br><br></div>I'm having trouble setting up a rlm_ldap module.<br><br></div>FR version is 3.0.0<br><br></div>Trimmed output from radiusd -X:<br><br><font size="1"><span style="font-family:courier new,monospace">radiusd: #### Instantiating modules ####<br>
instantiate {<br> }<br> modules {<br> # Loaded module rlm_ldap<br> # Instantiating module "ldap_xxxxxx" from file /usr/local/etc/raddb/mods-enabled/ldap_xxxxxx<br> ldap ldap_xxxxxx {<br> server = "<a href="http://ldap.example.org">ldap.example.org</a>"<br>
port = 636<br> password = "whocares"<br> identity = "<a href="mailto:someuser@example.org">someuser@example.org</a>"<br> user {<br> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"<br>
scope = "sub"<br> base_dn = "dc=example,dc=org"<br> access_positive = yes<br> }<br> group {<br> filter = "(objectClass=posixGroup)"<br> scope = "sub"<br>
base_dn = "dc=example,dc=org"<br> name_attribute = "cn"<br> membership_attribute = "memberOf"<br> cacheable_name = no<br> cacheable_dn = no<br> }<br> client {<br>
scope = "sub"<br> attribute {<br> identifier = "host"<br> shortname = "cn"<br> }<br> }<br> profile {<br> filter = "(&)"<br> }<br> options {<br>
ldap_debug = 40<br> chase_referrals = no<br> rebind = yes<br> net_timeout = 3<br> res_timeout = 20<br> srv_timelimit = 20<br> idle = 60<br> probes = 3<br> interval = 3<br>
}<br> tls {<br> ca_file = "/usr/local/etc/raddb/certs/ca.example.org.pem"<br> start_tls = no<br> require_cert = "demand"<br> }<br> }<br> accounting {<br> reference = "."<br>
}<br> post-auth {<br> reference = "."<br> }<br>rlm_ldap (ldap_xxxxxx): Initialising connection pool<br> pool {<br> start = 4<br> min = 2<br> max = 6<br> spare = 2<br> uses = 0<br>
lifetime = 0<br> cleanup_delay = 5<br> idle_timeout = 60<br> spread = no<br> }<br>rlm_ldap (ldap_xxxxxx): Opening additional connection (0)<br>rlm_ldap (ldap_xxxxxx): Connecting to <a href="http://ldap.example.org:636">ldap.example.org:636</a><br>
rlm_ldap (ldap_xxxxxx): Bind with <a href="mailto:someuser@example.org">someuser@example.org</a> to <a href="http://ldap.example.org:636">ldap.example.org:636</a> failed: Can't contact LDAP server<br>rlm_ldap (ldap_xxxxxx): Opening connection failed (0)<br>
rlm_ldap (ldap_xxxxxx): Removing connection pool<br>/usr/local/etc/raddb/mods-enabled/ldap_xxxxxx[8]: Instantiation failed for module "ldap_xxxxxx"</span></font><br clear="all"><div><div><div><div><div><br></div>
<div><br>FR is able to bind with the LDAP server only if <span style="font-family:courier new,monospace">require_cert</span> is set to <span style="font-family:courier new,monospace">"never"</span>, which makes me believe this is a certificate verification issue.<br>
<br></div><div>I tried to do a manual connect using openssl using<br></div><div><font size="1"><span style="font-family:courier new,monospace">openssl s_client -connect <a href="http://ldap.example.org:636">ldap.example.org:636</a> -CAfile </span></font><font size="1"><span style="font-family:courier new,monospace"><font size="1"><span style="font-family:courier new,monospace">/usr/local/etc/raddb/certs/ca.example.org.pem</span></font> -debug</span></font><br>
</div><div></div><div>which shows a <span style="font-family:courier new,monospace">Verify return code: 0 (ok)</span><br></div><div><br></div><div>Module is being called at the sites-enabled/default:<br></div><div><span style="font-family:courier new,monospace">authorize {<br>
....<br></span></div><div><span style="font-family:courier new,monospace"> -ldap_xxxxx<br>....<br>}</span><br></div><div><br></div><div>BTW: Why the "-" before the module name?<br></div><div><br></div><div>TIA<br>
</div><br></div></div></div></div></div>