LDAP module problem

Hossein Rafighi Hossein.Rafighi at triumf.ca
Thu Oct 8 17:36:27 CEST 2015 

Much appreciate the advise. I did per your suggestion and all seems okay 
except for ldap binding! This is weird! I use exact the same 
username/password for ldap binding on my radius server 2.x, and couple 
other servers however, on this one I am getting "Invalid credentials"! I 
must admit, it has been few years since I setup freeradius 2.x, and much 
has changed since.

If I enable start_tls I get:
TLS: error: the certificate '/etc/raddb/certs/ccndev4.triumf.ca.crt' 
could not be found in the database - error -5939:No more entries in the 
directory.
TLS: certificate '/etc/raddb/certs/ccndev4.triumf.ca.crt' successfully 
loaded from PEM file.
TLS: no unlocked certificate for certificate 
'E=system at triumf.ca,CN=ccndev4.triumf.ca,OU=Computing 
Services,O=TRIUMF,L=Vancouver,ST=BC,C=CA'.
TLS: certificate [CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US] is not 
valid - error -8172:Peer's certificate issuer has been marked as not 
trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been 
marked as not trusted by the user..
rlm_ldap (ldap): Could not start TLS: Connect error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[12]: Instantiation failed for module "ldap"

my certs are self signed and in /certs. The same as freeradius 2 server 
that is happy!

If I set start_tls to no I get:
rlm_ldap: Falling back to build time libldap version info.  Query for 
LDAP_OPT_API_INFO returned: -1
rlm_ldap: libldap vendor: OpenLDAP version: 20439
    accounting {
         reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
         reference = "."
    }
rlm_ldap (ldap): Initialising connection pool
    pool {
         start = 5
         min = 4
         max = 32
         spare = 3
         uses = 0
         lifetime = 0
         cleanup_interval = 30
         idle_timeout = 60
         retry_delay = 1
         spread = no
    }
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to trmail.triumf.ca:389
rlm_ldap (ldap): Could not set random_file: Success
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[12]: Instantiation failed for module "ldap"


Here is the LDAP related entries:
         server = "myldap.triumf.ca"
         port = 389
         identity = "cn=manager,o=triumf"
         password = ****************
         base_dn = "o=triumf"
         edir_autz = yes
         access_attribute = "uid"
         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

Everything else is default! Did I miss something else here?
Many thanks for all your advise,
Hossein


On 10/7/2015 11:35 AM, Alan Buxey wrote:
> You've appear to have uncommented documentation. ..read what it says. 
> You need to put that sort of stuff into the virtual server config (ie 
> in the authorize section of the inner tunnel) as the online 
> documentation is telling you :)
>
> alan 

-- 
   _____  _____   _____  _   _  _   _  ____ Hossein Rafighi
  |_   _||  _  \ |_   _|| | | || \_/ ||  __|TRIUMF, 4004 Wesbrook Mall
    | |  | |_|  )  | |  | | | ||     || |__ Vancouver BC, Canada, V6T 2A3
    | |  |  _  /   | |  | \_/ || \_/ ||  __|Voice: (604) 222-1047
    | |  | | \ \  _| |_ |     || | | || |   Fax:   (604) 222-1074
    |_|  |_|  \_\|_____| \___/ |_| |_||_|   Website: http://www.triumf.ca

More information about the Freeradius-Users mailing list