On Dec 8, 2020, at 8:33 AM, Matt Zagrabelny via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am having trouble getting FR to bind to LDAP (AD). I believe the issue is with TLS and the CA's, but I am not sure. Any help verifying the problem and finding a solution would be very appreciated.
Here's the version:
None of that really matters.
$ echo | openssl s_client -connect ad.umn.edu:636 | grep 'Verification: OK' depth=1 DC = edu, DC = umn, DC = ad, CN = OIT-CA1-ADRCA verify return:1 depth=0 CN = dc-tc1.ad.umn.edu verify return:1 Verification: OK DONE
That's good.
Also, ldapsearch executes successfully when the authority cert is added to the ca-certificates for the system, but fails when the cert is not added to the ca-certificates. ldapsearch is linked against gnutls.
<sigh> RedHat idiocies. They've since switched back.
However, even with the cert added to the system list of ca-certificates, it appears FR (at least the LDAP component) is failing. Here is a snippet of "freeradius -X"
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ad.umn.edu:636 TLS: can't connect: (unknown error code).
That seems definitive. The issue is RedHat. They've linked libldap against GNUTLS, which is *not* compatible with OpenSSL. FreeRADIUS tries to use OpenSSL, and then bad things happen. Drop the crappy RedHat packages, and go with working ones. See our web site for more details: https://networkradius.com/packages/ Alan DeKok.