Hi, no, in normal mode, radiusd actually really crashes: the daemon gets killed and I've to restart it again (no id with "ps aux"... and script doesn't stop it 'cause it's not started...). That log line is the only trace it gives before crash. But when I run radiusd with "-X" option, it doesn't crash... (???) and gives this lines (I've cut data): rlm_ldap: - authorize rlm_ldap: performing user authorization for XXXXXX radius_xlat: '(cn=XXXXXX)' radius_xlat: 'ou=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldaps://XXXXXXXXXXXXXXXXXX, authentication 0 rlm_ldap: setting TLS Require Cert to never rlm_ldap: setting TLS Cert File to ./certs/XXXXXXcacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXXXX/XXXXXX to ldaps://XXXXXXXXXXXXXXXXXX rlm_ldap: cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to ldaps://XXXXXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 5 modcall: group authorize returns fail for request 5 Finished request 5 The same configuration of user, proxy ldap user (bind as...), and server runs smoothly, the only differences are: server = "ldaps://XXXXXXXXXXXXXXX" (I tried to use this instead of port=636, but the result is the same) tls_certfile = ./certs/XXXXXcacert.pem tls_require_cert = "never" I left the rest unchanged. (Maybe some of these "*time*" options in ldap section are important?). The test was made with "echo "User-Name = XXXXX" | radclient localhost auth XXXXX". If I make a "telnet XXXXXXXXXXXXXXX 636", the connection isn't refused, so the port is open, as it's also 389. I haven't an ldapclient in that machine, but I've sucessfully contacted this LDAPS server from another machine with ldapbrowser or softerra clients. I've checked config log written when I compiled radius, in order to see if it found ldap and openssl sources correctly, and all options I've seen for them are passed with "yes", and the "make" didn't complain... Are my options for LDAPS against ActiveDirectory correct? thank you very much for your time.
Message: 5 Date: Wed, 15 Jun 2005 12:54:42 -0400 From: "Alan DeKok" <aland@ox.org> Subject: Re: problem with freeradius and ldaps (Active Directory) To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20050615165442.6E00F16D00@mail.nitros9.org>
"Roberto S. G." <roberto.santos@unileon.es> wrote:
But I'm not able to obtain any response. In fact, the freeradius crashes with just a:
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1074, id=88, length=29 Discarding duplicate request from client localhost:1074 - ID: 88
It's not a crash. It's telling you that it's still processing the previous request.
Has anyone sucessfully configured freeradius against an Active Directory with LDAPS?
Yes.
Run the server in debugging mode to see where it hangs.
Alan DeKok.
"Roberto S. G." <roberto.santos@unileon.es> wrote:
no, in normal mode, radiusd actually really crashes
The log messages you posted before did not show this.
Are my options for LDAPS against ActiveDirectory correct?
I think so. I haven't used it myself. See 'doc/bugs' for a description of what to do on crashes. Alan DeKok.
participants (2)
-
Alan DeKok -
Roberto S. G.