Trouble getting ldaps to work

Thu Jan 9 16:50:30 CET 2014

It works. It just doesn't work as expected.

In normal mode radius.log shows apparently working binds on startup:

Thu Jan  9 13:33:06 2014 : Info: rlm_ldap (ldap_xxxxx): Opening additional
connection (0)
Thu Jan  9 13:33:06 2014 : Info: rlm_ldap (ldap_xxxxx): Opening additional
connection (1)
Thu Jan  9 13:33:06 2014 : Info: rlm_ldap (ldap_xxxxx): Opening additional
connection (2)
Thu Jan  9 13:33:06 2014 : Info: rlm_ldap (ldap_yyyyy): Opening additional
connection (0)
Thu Jan  9 13:33:06 2014 : Info: rlm_ldap (ldap_yyyyy): Opening additional
connection (1)
Thu Jan  9 13:33:06 2014 : Info: rlm_ldap (ldap_yyyyy): Opening additional
connection (2)

radtest with a user from "users" returns Access-Accept

But radiusd -X is failing:

...
# Skipping instantiation of ldap_yyyyy
ldap ldap_yyyyy {
...
}
...
Ready to process requests
rad_recv: Access-Request packet from host 127.0.0.1 port 46825, id=153,
length=92
    User-Name = 'thisuser'
    User-Password = 'thatpassword'
    NAS-IP-Address = 203.0.113.1
    NAS-Port = 1812
    Message-Authenticator = 0x96838d44a607086ec3af35a2d39aa6e5
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)    ? if (!User-Name)
(0)    ? if (!User-Name)  -> FALSE
(0)    ? if (User-Name != "%{tolower:%{User-Name}}")
(0)     expand: "%{tolower:%{User-Name}}" -> 'thisuser'
(0)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)    ? if (User-Name =~ / /)
(0)    ? if (User-Name =~ / /)  -> FALSE
(0)    ? if (User-Name =~ /@.*@/ )
(0)    ? if (User-Name =~ /@.*@/ )  -> FALSE
(0)    ? if (User-Name =~ /\\.\\./ )
(0)    ? if (User-Name =~ /\\.\\./ )  -> FALSE
(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(0)    ? if (User-Name =~ /\\.$/)
(0)    ? if (User-Name =~ /\\.$/)   -> FALSE
(0)    ? if (User-Name =~ /@\\./)
(0)    ? if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "thisuser", looking up realm NULL
(0) suffix : Found realm "NULL"
(0) suffix : Adding Stripped-User-Name = "thisuser"
(0) suffix : Adding Realm = "NULL"
(0) suffix : Authentication realm is LOCAL
(0)   [suffix] = ok
(0) eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0) files : users: Matched entry thisuser at line 108
(0)   [files] = ok
(0) ERROR: ldap_yyyyy : All ldap connections are in use
(0)   [ldap_yyyyy] = fail
(0)  } #  authorize = fail
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)  Post-Auth-Type REJECT {
(0) attr_filter.access_reject :     expand: "%{User-Name}" -> 'thisuser'
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0)   [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0)   [eap] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)    ? if (reply:EAP-Message && reply:Reply-Message)
(0)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } # Post-Auth-Type REJECT = updated
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed reject
Sending Access-Reject of id 153 from 127.0.0.1 port 1812 to 127.0.0.1 port
46825
    Reply-Message = 'Rejected'
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 153 with timestamp +2
Ready to process requests

Any idea about why this is happening?

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140109/548694a2/attachment-0001.html>