authenticating to ldaps/tls

Peter Param pparam at
Thu Feb 12 00:30:40 CET 2009

Hi all,

I'm trying to authenticate to a LDAPS backend but failing.  Any suggestions?

My freeradius version:

radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Nov 21
2008 at 07:54:33

My ldap module settings:

ldap people_search {
                server = ""
                port = 636
                identity = "cn=admin,o=org,c=au"
                password = ***
                filter = "(cn=%u)"
                basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au"
                tls {
                        tls_mode = yes
                        # to the LDAP database by using the StartTLS extended
                        # operation.
                        # The StartTLS operation is supposed to be
                        # used with normal ldap connections instead of
                        # using ldaps (port 689) connections
                        start_tls = yes
                        cacertfile    =
/etc/openssl/certs/SVMHS_CA_SSL_Server.cer <note: chained CA cert>
                        cacertdir     = /etc/openssl/certs/
                        #certfile      = /etc/openssl/certs/spud-jr.cer
                        # keyfile               = /path/to/radius.key
                        # randfile              = /path/to/rnd

                        #  Certificate Verification requirements.  Can be:
                        #    "never" (don't even bother trying)
                        #    "allow" (try, but don't fail if the cerificate
                        #               can't be verified)
                        #    "demand" (fail if the certificate doesn't verify.)
                        #       The default is "allow"
                        require_cert  = "allow"

-X output messages:

[people_search] performing user authorization for pparam
[people_search]         expand: (cn=%u) -> (cn=pparam)
[people_search]         expand: ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au ->
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert File to /etc/openssl/certs/SVMHS_CA_SSL_Server.cer
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Success
rlm_ldap: (re)connection attempt failed
[people_search] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[people_search] returns fail
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested
Delaying reject of request 0 for 1 seconds
Going to the next request

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents &
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.


More information about the Freeradius-Users mailing list