rlm_ldap: could not start TLS

Paulo Cabrita pjc at ual.pt
Mon Apr 3 11:36:22 CEST 2006


Hi.

I had the same problem with the same version of freeradius to 
authenticate to an OpenLDAP.

Check this (it worked for me):
- verify your TLS configuration: you must have the same name as the 
certificate. For instance, don't use IP address when it is expecting the 
DNS name.
- verify that your ldap library has TLS suport: I used OpenLDAP's 
library without tls and had the same problem.
- configure and compile freeradius with the open-ssl flags: point to the 
openssl that you want/need.

Marc Delisle wrote:

> George C. Kaplan a écrit :
>
>>
>> On Apr 1, 2006, at 5:28 AM, Marc Delisle wrote:
>>
>>> Hi,
>>>
>>> I'm trying to make freeradius 1.1.0 contact a LDAP server.
>>> I configured freeradius --with-edir.
>>>
>>> The error I get is
>>> "rlm_ldap: could not start TLS Can't contact LDAP server"
>>>
>>> I followed this document
>>> http://www.novell.com/coolsolutions/tip/15922.html
>>>
>>> except that in my case, the LDAP server is on Netware 6.5 SP5.
>>>
>>> On this Netware server, LDAP responds correctly over SSL, as tested 
>>> with  Novell's ldapsearch on port 636.
>>
>>
>> I had a problem similar to this:  'ldapsearch' worked, but Freeradius 
>> couldn't make an LDAP connection with TLS.  It turns out that my 
>> system had two versions of the openssl library, and radiusd was 
>> linking to the wrong version.  It was kind of confusing, since the 
>> rlm_ldap module was linked to the correct library (in 
>> /usr/local/lib), but radiusd was linked to the one in /usr/lib, and 
>> that's the one that got loaded at run time.
>>
>> I ended up setting --with-openssl-includes and 
>> --with-openssl-libraries in the Makefile for the port (I'm using 
>> FreeBSD 5.4), and that solved the problem.
>>
>> --George C. Kaplan                            gckaplan at ack.berkeley.edu
>> Communication & Network Services            510-643-0496
>> University of California at Berkeley
>
>
> Thanks George for your answer. I checked: both radiusd and 
> rlm_ldap-1.1.0.so are linked to /usr/lib/libssl.so.0.9.7. I am on Linux.
>
> Should this version (openssl 0.9.7e) work?
>
> Marc Delisle
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

-- 

Atentamente,

------------------------------------
|Paulo Cabrita, Msc                |
|Director do Centro de Informática |
|da Universidade Autónoma de Lisboa|
|Tel: +351-213177635               |
|Fax: +351-213533702               |
|E-mail: pjc at ual.pt                |
------------------------------------





More information about the Freeradius-Users mailing list