On 10 Mar 2015, at 13:48, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use.. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:636 TLS: could not find the slot for the certificate '/etc/raddb/certs/ldap-ca.pem' - error -8127:The security card or token does not exist, needs to be initialized, or has been removed.. TLS: /etc/raddb/certs/ldap-ca.pem is not a valid CA certificate file - error -8127:The security card or token does not exist, needs to be initialized, or has been removed.. TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8127:The security card or token does not exist, needs to be initialized, or has been removed. TLS: can't create ssl handle. rlm_ldap (ldap): Bind with cn=Radius,o=Example,c=XX to ldap://ldap.example.com:636 failed: Can't contact LDAP server TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use.. rlm_ldap (ldap): Opening connection failed (7) (28) [ldap] = fail
I've seen this at STFC before... but despite my prodding, this was not raised on the list. :-/
OpenLDAP built against NSS is not compatible with rlm_ldap when used with Start TLS or LDAPS, see here: https://github.com/FreeRADIUS/freeradius-server/pull/866 It's not something that can be fixed our side. The OpenLDAP guys say they're not responsible for the NSS bindings. It's an issue you'll need to raise with Redhat. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2