AW: rlm_ldap (ldap): Could not start TLS: Connect error
Hachmer, Tobias
Tobias.Hachmer at stadt-frankfurt.de
Wed Dec 4 08:45:39 CET 2013
Hello Arran,
-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+tobias.hachmer=stadt-frankfurt.de at lists.freeradius.org [mailto:freeradius-users-bounces+tobias.hachmer=stadt-frankfurt.de at lists.freeradius.org] Im Auftrag von Arran Cudbard-Bell
Gesendet: Samstag, 30. November 2013 11:55
An: FreeRadius users mailing list
Betreff: Re: rlm_ldap (ldap): Could not start TLS: Connect error
On 29 Nov 2013, at 23:06, Hachmer, Tobias <Tobias.Hachmer at stadt-frankfurt.de> wrote:
>> Well, will be back at work on tuesday next week. Than I can test.
>Thanks. Let me know if you find any other issues, or have any feature requests.
Ok, I will come back to you regarding feature requests if I have more time ;-)
The ldap connect via starttls works now, thanks for that.
But the ldap attribute mapping fails. I have built the current git status from branch v3.0.x:
radiusd: FreeRADIUS Version 3.0.1 (git #eef21a0), for host x86_64-redhat-linux-gnu, built on Dec 4 2013 at 08:11:53
My ldap attribute mapping at the moment:
update {
reply:Idle-Timeout := 'radiusIdleTimeout'
reply:Session-Timeout := 'radiusSessionTimeout'
reply:Service-Type := 'radiusServiceType'
request:Simultaneous-Use := 'radiusSimultaneousUse'
request:Expiration := 'radiusExpiration'
control:Auth-Type := 'radiusAuthType'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
}
The error from debug mode:
# Loaded module rlm_ldap
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "xxx"
port = 389
password = "xxx"
identity = "xxx"
valuepair_attribute = "radiusGenericItem"
read_clients = yes
user {
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=radiusProfile))"
scope = "sub"
base_dn = "xxx"
access_attribute = "radiusAccountStatus"
access_positive = yes
}
group {
filter = "(objectClass=groupOfNames)"
scope = "sub"
base_dn = "xxx"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(member=%{control:Ldap-UserDn})"
cacheable_name = no
cacheable_dn = yes
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "xxx"
attribute {
identifier = "radiusClientIdentifier"
shortname = "radiusClientShortname"
nas_type = "radiusClientType"
secret = "radiusClientSecret"
virtual_server = "radiusClientVirtualServer"
require_message_authenticator = "radiusClientRequireMa"
}
}
profile {
filter = "(objectclass=radiusObjectProfile)"
attribute = "radiusGroupName"
default = "xxx"
}
options {
ldap_debug = 597
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
ca_file = "/etc/raddb/certs/rootca_cert.pem"
start_tls = yes
require_cert = "demand"
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
/etc/raddb/mods-enabled/ldap[63]: Unknown value 'radiusIdleTimeout' for attribute 'Idle-Timeout'
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
I also left a comment on the corresponding github issue.
Thanks in advance,
Tobias Hachmer
More information about the Freeradius-Users
mailing list