Redundant ldap's bug?

Alan DeKok aland at ox.org
Wed Apr 5 19:06:36 CEST 2006


Paulo Cabrita <pjc at ual.pt> wrote:
> I made a little more debug on this matter and I discovered that the 
> error is that FR doesn't like the CA:
> 
...
> TLS certificate verification: Error, self signed certificate
> TLS trace: SSL3 alert write:fatal:unknown CA

  That's an SSL error.  FreeRADIUS has little control over it.

  FreeRADIUS is calling the LDAP client library, and asking it to use
a particular CA for one ldap instance.  FreeRADIUS does that again for
the other ldap instance.  My guess is that the LDAP client library, or
OpenSSL, over-writes the first CA with the second one.

  You should be able to verify this by listing the master & slave ldap
names in the "instantiate" section.  That forces the server to
initialize the modules in a particular order.

  Then, test the server.  You should see that the *first* module
listed in "instantiate" fails, and the second succeeds.  Stop the
server, and swap the order in the "instantiate" section.  You should
again see that the first listed one fails, and the second succeeds.

  If that happens, it's either a bug in the OpenLDAP client libraries,
or in OpenSSL.  I'm not sure there's anything you can do to FreeRADIUS
to fix it.

  The only option to make it work is to have both certs signed by the
same CA.  In that case, it doesn't matter that the first gets
over-written by the second, because they're both the same.

  Alan DeKok.



More information about the Freeradius-Users mailing list