Problem with authentication against FreeIPA

Matthew Newton mcn at
Thu Aug 22 12:27:01 CEST 2019

On Thu, 2019-08-22 at 06:41 +0000, Daniel Osielczak via Freeradius-
Users wrote:
> FreeRADIUS Version 3.0.13
> rlm_ldap (ldap): Connecting to ldap://ipa1.domain:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> (0) ldap: Using user DN from request "uid=newldaptest,cn=users,cn=accounts,dc=domain"
> (0) ldap: Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> (0) ldap: ERROR: Bind with uid=newldaptest,cn=users,cn=accounts,dc=domain to ldap://ipa1.domain:389 failed: Local error

Looks like you're using CentOS/RHEL, which has ldap compiled against
NSS. That breaks things with FreeRADIUS (compiled against OpenSSL).

Try installing the FreeRADIUS packages from and follow the instructions on that
page to install the LDAP libraries from the LTB project instead, which
are compiled against OpenSSL.


More information about the Freeradius-Users mailing list