FR, LDAP (AD) issues

Alan DeKok aland at
Tue Dec 8 14:41:20 CET 2020

On Dec 8, 2020, at 8:33 AM, Matt Zagrabelny via Freeradius-Users <freeradius-users at> wrote:
>> I am having trouble getting FR to bind to LDAP (AD). I believe the issue
>> is with TLS and the CA's, but I am not sure. Any help verifying the problem
>> and finding a solution would be very appreciated.
>> Here's the version:

  None of that really matters.

>> $ echo | openssl s_client -connect | grep 'Verification:
>> OK'
>> depth=1 DC = edu, DC = umn, DC = ad, CN = OIT-CA1-ADRCA
>> verify return:1
>> depth=0 CN =
>> verify return:1
>> Verification: OK

  That's good.

>> Also, ldapsearch executes successfully when the authority cert is added to
>> the ca-certificates for the system, but fails when the cert is not added to
>> the ca-certificates. ldapsearch is linked against gnutls.

  <sigh>  RedHat idiocies.

  They've since switched back.

>> However, even with the cert added to the system list of ca-certificates,
>> it appears FR (at least the LDAP component) is failing. Here is a snippet
>> of "freeradius -X"
>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
>> used
>> rlm_ldap (ldap): Connecting to ldaps://
>> TLS: can't connect: (unknown error code).

  That seems definitive.

  The issue is RedHat.  They've linked libldap against GNUTLS, which is *not* compatible with OpenSSL.  FreeRADIUS tries to use OpenSSL, and then bad things happen.

  Drop the crappy RedHat packages, and go with working ones.  See our web site for more details:

  Alan DeKok.

More information about the Freeradius-Users mailing list