Multiple ldaps (SSL) backends and only the first queried works. Possible bug?

Daniele Albrizio albrizio at univ.trieste.it
Tue May 3 19:00:18 CEST 2011 

I've two ldaps backends instantiated like:

authorize {
...
	Autz-Type OPENLDAP {
		openldap
	}
	Autz-Type ADLDAP {
		adldap
	}
...
}

authenticate {
...
	Auth-Type OPENLDAP {
		openldap
	}
	Auth-Type ADLDAP {
        	adldap
	}
...
}


The two modules are configured as follows using DIFFERENT issuing CAs...

ldap adldap {
	server = "ldaps://myAD.ds.units.it"
	identity = ...
	password = ...
	basedn = ...
	filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1

	tls {
		start_tls = no
		cacertfile = /usr/local/etc/raddb/.../certs/ad_root_ca.pem
		require_cert	= "demand"
	}
...
}


ldap openldap {
	server = "ldaps://myopenldap.units.it"
	identity = ...
	password = ...
	basedn = ...
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	ldap_connections_number = 5
	timeout = 5
	timelimit = 5
	net_timeout = 10
	tls {
		start_tls = no
		cacertfile = /etc/ssl/certs/AddTrust_External_Root.pem
		require_cert	= "demand"
	}
...
}


Now, the problem is that once I started freeradius, the first connection
to an ldap server goes straight, while the second (to the other one) says:

ldap_create
ldap_url_parse_ext(ldaps://myAD.ds.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myAD.ds.units.it:636
ldap_new_socket: 32
ldap_prepare_socket: 32
ldap_connect_to_host: Trying yyy.yyy.yyy.yyy:636
ldap_pvt_connect: fd: 32 tm: 1 async: 0
ldap_ndelay_on: 32
ldap_int_poll: fd: 32 tm: 1
ldap_is_sock_ready: 32
ldap_ndelay_off: 32
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string

...and letting the first request to be to the myAD server (soon after a
restart):

ldap_create
ldap_url_parse_ext(ldaps://myopenldap.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myopenldap.units.it:636
ldap_new_socket: 33
ldap_prepare_socket: 33
ldap_connect_to_host: Trying xxx.xxx.xxx.xxx:636
ldap_pvt_connect: fd: 33 tm: 10 async: 0
ldap_ndelay_on: 33
ldap_int_poll: fd: 33 tm: 10
ldap_is_sock_ready: 33
ldap_ndelay_off: 33
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string


I suspect the "cacertfile" attribute is not correctly re-instantiated
and only the value of the first request is used to check against when
instantiating a new ldaps connection.

Any suggestions?


-- 
   Daniele ALBRIZIO - albrizio at univ.trieste.it

More information about the Freeradius-Users mailing list