ldapi:// with SASL/EXTERNAL

Michael Ströder michael at stroeder.com
Sat May 2 00:31:11 CEST 2015 

HI!

My FreeRADIUS 3.0.8 server works with OpenLDAP also with ldapi:// and simple 
bind. But it does not work with SASL/EXTERNAL bind (see relevant -X output 
attached below).

A short test as the correct demon user 'radiusd' with
ldapwhoami -H ldapi:// -Y EXTERNAL
returns the expected and correct authz-DN.

But if FreeRADIUS starts OpenLDAP logs look strange:

2015-05-02T00:28:03.170556+02:00 srv3 slapd[1350]: conn=1344 fd=18 ACCEPT from 
PATH=/run/slapd/ldapi (PATH=/run/slapd/ldapi)
2015-05-02T00:28:03.172464+02:00 srv3 slapd[1350]: conn=1344 op=0 BIND dn="" 
method=163
2015-05-02T00:28:03.173796+02:00 srv3 slapd[1350]: conn=1344 op=0 RESULT 
tag=97 err=14 text=SASL(0): successful result:
2015-05-02T00:28:03.179488+02:00 srv3 slapd[1350]: connection_operation: 
error: SASL bind in progress (tag=66).
2015-05-02T00:28:03.179758+02:00 srv3 slapd[1350]: conn=1344 op=1 RESULT 
tag=48 err=1 text=SASL bind in progress
2015-05-02T00:28:03.180154+02:00 srv3 slapd[1350]: conn=1344 fd=18 closed

Ciao, Michael.

--------------------------- snip ---------------------------

   # Loaded module rlm_ldap
   # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
   ldap {
   	server = "ldapi://"
   	sasl_mech = "EXTERNAL"
    user {
    	scope = "sub"
    	access_positive = yes
    }
    group {
    	filter = "(objectClass=posixGroup)"
    	scope = "sub"
    	name_attribute = "cn"
    	membership_attribute = "memberOf"
    	membership_filter = "(member=%{control:Ldap-UserDn})"
    	cacheable_name = no
    	cacheable_dn = no
    }
    client {
    	filter = "(objectClass=radiusClient)"
    	scope = "sub"
    	base_dn = "${..base_dn}"
    }
    profile {
    }
    options {
    	ldap_debug = 40
    	chase_referrals = no
    	rebind = yes
    	net_timeout = 1
    	res_timeout = 20
    	srv_timelimit = 20
    	idle = 60
    	probes = 3
    	interval = 3
    }
    tls {
    	start_tls = no
    }
   }
rlm_ldap: libldap vendor: OpenLDAP, version: 20440
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
    	reference = "."
    }
rlm_ldap (ldap): Initialising connection pool
    pool {
    	start = 5
    	min = 4
    	max = 6
    	spare = 3
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	retry_delay = 1
    	spread = no
    }
WARNING: Ignoring "spare = 3", forcing to "spare = 2"
rlm_ldap (ldap): Opening additional connection (0), 1 of 6 pending slots used
rlm_ldap (ldap): Connecting to ldapi://
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind with (anonymous) to ldapi:// failed: SASL bind in progress
rlm_ldap (ldap): Server said: SASL(0): successful result: .
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150502/7fc2bdf4/attachment.bin>

More information about the Freeradius-Users mailing list