Trouble getting ldaps to work

Alberto Martínez alberto_martinez at deusto.es
Thu Jan 9 09:54:45 CET 2014 

Hi.

I'm having trouble setting up a rlm_ldap module.

FR version is 3.0.0

Trimmed output from radiusd -X:

radiusd: #### Instantiating modules ####
 instantiate {
 }
 modules {
  # Loaded module rlm_ldap
  # Instantiating module "ldap_xxxxxx" from file
/usr/local/etc/raddb/mods-enabled/ldap_xxxxxx
  ldap ldap_xxxxxx {
      server = "ldap.example.org"
      port = 636
      password = "whocares"
      identity = "someuser at example.org"
   user {
       filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
       scope = "sub"
       base_dn = "dc=example,dc=org"
       access_positive = yes
   }
   group {
       filter = "(objectClass=posixGroup)"
       scope = "sub"
       base_dn = "dc=example,dc=org"
       name_attribute = "cn"
       membership_attribute = "memberOf"
       cacheable_name = no
       cacheable_dn = no
   }
   client {
       scope = "sub"
    attribute {
        identifier = "host"
        shortname = "cn"
    }
   }
   profile {
       filter = "(&)"
   }
   options {
       ldap_debug = 40
       chase_referrals = no
       rebind = yes
       net_timeout = 3
       res_timeout = 20
       srv_timelimit = 20
       idle = 60
       probes = 3
       interval = 3
   }
   tls {
       ca_file = "/usr/local/etc/raddb/certs/ca.example.org.pem"
       start_tls = no
       require_cert = "demand"
   }
  }
   accounting {
       reference = "."
   }
   post-auth {
       reference = "."
   }
rlm_ldap (ldap_xxxxxx): Initialising connection pool
   pool {
       start = 4
       min = 2
       max = 6
       spare = 2
       uses = 0
       lifetime = 0
       cleanup_delay = 5
       idle_timeout = 60
       spread = no
   }
rlm_ldap (ldap_xxxxxx): Opening additional connection (0)
rlm_ldap (ldap_xxxxxx): Connecting to ldap.example.org:636
rlm_ldap (ldap_xxxxxx): Bind with someuser at example.org to
ldap.example.org:636 failed: Can't contact LDAP server
rlm_ldap (ldap_xxxxxx): Opening connection failed (0)
rlm_ldap (ldap_xxxxxx): Removing connection pool
/usr/local/etc/raddb/mods-enabled/ldap_xxxxxx[8]: Instantiation failed for
module "ldap_xxxxxx"


FR is able to bind with the LDAP server only if require_cert is set to
"never", which makes me believe this is a certificate verification issue.

I tried to do a manual connect using openssl using
openssl s_client -connect ldap.example.org:636 -CAfile
/usr/local/etc/raddb/certs/ca.example.org.pem -debug
which shows a Verify return code: 0 (ok)

Module is being called at the sites-enabled/default:
authorize {
....
    -ldap_xxxxx
....
}

BTW: Why the "-" before the module name?

TIA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140109/bb870235/attachment.html>

More information about the Freeradius-Users mailing list