disable LDAP referrals not working
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Aug 12 10:33:07 CEST 2016
> On 12 Aug 2016, at 10:27, tirili at web.de wrote:
>
> I have /etc/openldap/ldap.conf
>
> TLS_CACERTDIR /etc/openldap/cacerts
> SASL_NOCANON on
> URI ldaps://dcdc0011.domain.local:636
> ldaps://dcdc0021.domain.local:636
> SCOPE one
> BASE dc=domain,dc=local
> REFERRALS off
>
> Freeradius ldap tells
>
> TLS: hostname (DomainDnsZones.domain.local) does not match common name
> in certificate (dcdc0020.domain.local).
> TLS: can't connect: TLS: hostname does not match CN in peer
> certificate.
> Unable to chase referral
> "ldaps://DomainDnsZones.domain.local/DC=DomainDnsZones,DC=domain,DC=loc
> al" (-1: Can't contact LDAP server)
> TLS: hostname (ForestDnsZones.domain.local) does not match common name
> in certificate (dcdc0020.domain.local).
> TLS: can't connect: TLS: hostname does not match CN in peer
> certificate.
> Unable to chase referral
> "ldaps://ForestDnsZones.domain.local/DC=ForestDnsZones,DC=domain,DC=loc
> al" (-1: Can't contact LDAP server)
> TLS: hostname (domain.local) does not match common name in certificate
> (dcdc0011.domain.local).
> TLS: can't connect: TLS: hostname does not match CN in peer
> certificate.
> Unable to chase referral
> "ldaps://domain.local/CN=Configuration,DC=domain,DC=local" (-1: Can't
> contact LDAP server)
>
> Why is REFERRALS off not taken into account - or
> how can these chase-referrals being disabled?
Because until very recently the config parser didn’t have a way of indicating that a configuration item wasn’t set, and so it always used FreeRADIUS defaults.
There’s a config option to disable referrals in raddb/mods-available/ldap you should use that to disable the referrals for now…
-Arran
More information about the Freeradius-Users
mailing list