<div dir="ltr"><div><div><div>Hi.<br><br></div>I'm having trouble setting up a rlm_ldap module.<br><br></div>FR version is 3.0.0<br><br></div>Trimmed output from radiusd -X:<br><br><font size="1"><span style="font-family:courier new,monospace">radiusd: #### Instantiating modules ####<br>
 instantiate {<br> }<br> modules {<br> # Loaded module rlm_ldap<br> # Instantiating module "ldap_xxxxxx" from file /usr/local/etc/raddb/mods-enabled/ldap_xxxxxx<br> ldap ldap_xxxxxx {<br>    server = "<a href="http://ldap.example.org">ldap.example.org</a>"<br>
    port = 636<br>    password = "whocares"<br>    identity = "<a href="mailto:someuser@example.org">someuser@example.org</a>"<br>  user {<br>     filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"<br>
     scope = "sub"<br>     base_dn = "dc=example,dc=org"<br>     access_positive = yes<br>  }<br>  group {<br>     filter = "(objectClass=posixGroup)"<br>     scope = "sub"<br>
     base_dn = "dc=example,dc=org"<br>     name_attribute = "cn"<br>     membership_attribute = "memberOf"<br>     cacheable_name = no<br>     cacheable_dn = no<br>  }<br>  client {<br>
     scope = "sub"<br>   attribute {<br>      identifier = "host"<br>      shortname = "cn"<br>   }<br>  }<br>  profile {<br>     filter = "(&)"<br>  }<br>  options {<br>
     ldap_debug = 40<br>     chase_referrals = no<br>     rebind = yes<br>     net_timeout = 3<br>     res_timeout = 20<br>     srv_timelimit = 20<br>     idle = 60<br>     probes = 3<br>     interval = 3<br>
  }<br>  tls {<br>     ca_file = "/usr/local/etc/raddb/certs/ca.example.org.pem"<br>     start_tls = no<br>     require_cert = "demand"<br>  }<br> }<br>  accounting {<br>     reference = "."<br>
  }<br>  post-auth {<br>     reference = "."<br>  }<br>rlm_ldap (ldap_xxxxxx): Initialising connection pool<br>  pool {<br>     start = 4<br>     min = 2<br>     max = 6<br>     spare = 2<br>     uses = 0<br>
     lifetime = 0<br>     cleanup_delay = 5<br>     idle_timeout = 60<br>     spread = no<br>  }<br>rlm_ldap (ldap_xxxxxx): Opening additional connection (0)<br>rlm_ldap (ldap_xxxxxx): Connecting to <a href="http://ldap.example.org:636">ldap.example.org:636</a><br>
rlm_ldap (ldap_xxxxxx): Bind with <a href="mailto:someuser@example.org">someuser@example.org</a> to <a href="http://ldap.example.org:636">ldap.example.org:636</a> failed: Can't contact LDAP server<br>rlm_ldap (ldap_xxxxxx): Opening connection failed (0)<br>
rlm_ldap (ldap_xxxxxx): Removing connection pool<br>/usr/local/etc/raddb/mods-enabled/ldap_xxxxxx[8]: Instantiation failed for module "ldap_xxxxxx"</span></font><br clear="all"><div><div><div><div><div><br></div>
<div><br>FR is able to bind with the LDAP server only if <span style="font-family:courier new,monospace">require_cert</span> is set to <span style="font-family:courier new,monospace">"never"</span>, which makes me believe this is a certificate verification issue.<br>
<br></div><div>I tried to do a manual connect using openssl using<br></div><div><font size="1"><span style="font-family:courier new,monospace">openssl s_client -connect <a href="http://ldap.example.org:636">ldap.example.org:636</a> -CAfile </span></font><font size="1"><span style="font-family:courier new,monospace"><font size="1"><span style="font-family:courier new,monospace">/usr/local/etc/raddb/certs/ca.example.org.pem</span></font> -debug</span></font><br>
</div><div></div><div>which shows a <span style="font-family:courier new,monospace">Verify return code: 0 (ok)</span><br></div><div><br></div><div>Module is being called at the sites-enabled/default:<br></div><div><span style="font-family:courier new,monospace">authorize {<br>
....<br></span></div><div><span style="font-family:courier new,monospace">Â Â Â -ldap_xxxxx<br>....<br>}</span><br></div><div><br></div><div>BTW: Why the "-" before the module name?<br></div><div><br></div><div>TIA<br>
</div><br></div></div></div></div></div>