ldap tls in freeradius

Phil Mayers p.mayers at imperial.ac.uk
Sun Nov 6 10:52:04 CET 2011

On 11/06/2011 09:04 AM, Frank Skovboel wrote:
> Hi,
> I'm trying to authorize users in different AD's (2003 and 2008), but I
> keep running into an error I can't find any thing on when I google it.
> For the purpose of the testing I have set the following in the ldap
> section: require_cert
> Freeradius tries to connect to the ldap server (2008), the connection
> fails and I get the following debug output.
> ============================ DEBUG =======================================
> [ldap_CustA] performing user authorization for MyAccount
> [ldap_CustA] expand: (&(sAMAccountName=%{User-Name})) ->
> (&(sAMAccountName=MyAccount))
> [ldap_CustA] expand: ou=OU1,ou=OU2,dc=domain,dc=local ->
> ou=OU1,ou=OU2,dc=domain,dc=local
> [ldap_CustA] ldap_get_conn: Checking Id: 0
> [ldap_CustA] ldap_get_conn: Got Id: 0
> [ldap_CustA] attempting LDAP reconnection
> [ldap_CustA] (re)connect to AD-IP-ADDRESS:636, authentication 0
> [ldap_CustA] setting TLS mode to 1
> [ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem
> [ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/
> [ldap_CustA] setting TLS Require Cert to never
> [ldap_CustA] setting TLS Cert File to /etc/raddb/certs/server.crt
> [ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key
> [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random

This is a logging bug in FreeRADIUS; the code seems to have been copy & 
pasted. It *is* setting the randfile option,  but it's logging the wrong 
thing (key file). It can be ignored.

> [ldap_CustA] bind as user at domain.local/PASSWORD to
> TLS: could not add the certificate PEM Token #0:server.crt - 0 - error
> -8192:Unknown code ___f 0.
> TLS: error: could not initialize moznss security context - error
> -8192:Unknown code ___f 0

Well that's a new one on me.

Which version of FreeRADIUS are you using, on which OS?	Which LDAP 
libraries are you linking against?

I'm guessing you're on a RedHat based system, judging from the fact the 
LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under 
the hood?

Where did "server.crt" come from? I presume it's a copy of the LDAP 
server cert, signed by the CA in "ca.pem"? Do you need it? You can 
probably just give the CA cert, for a connection to an LDAP server.

More information about the Freeradius-Users mailing list