FR, LDAP (AD) issues
Alan DeKok
aland at deployingradius.com
Tue Dec 8 14:41:20 CET 2020
On Dec 8, 2020, at 8:33 AM, Matt Zagrabelny via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> I am having trouble getting FR to bind to LDAP (AD). I believe the issue
>> is with TLS and the CA's, but I am not sure. Any help verifying the problem
>> and finding a solution would be very appreciated.
>>
>> Here's the version:
None of that really matters.
>> $ echo | openssl s_client -connect ad.umn.edu:636 | grep 'Verification:
>> OK'
>> depth=1 DC = edu, DC = umn, DC = ad, CN = OIT-CA1-ADRCA
>> verify return:1
>> depth=0 CN = dc-tc1.ad.umn.edu
>> verify return:1
>> Verification: OK
>> DONE
That's good.
>> Also, ldapsearch executes successfully when the authority cert is added to
>> the ca-certificates for the system, but fails when the cert is not added to
>> the ca-certificates. ldapsearch is linked against gnutls.
<sigh> RedHat idiocies.
They've since switched back.
>> However, even with the cert added to the system list of ca-certificates,
>> it appears FR (at least the LDAP component) is failing. Here is a snippet
>> of "freeradius -X"
>>
>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
>> used
>> rlm_ldap (ldap): Connecting to ldaps://ad.umn.edu:636
>> TLS: can't connect: (unknown error code).
That seems definitive.
The issue is RedHat. They've linked libldap against GNUTLS, which is *not* compatible with OpenSSL. FreeRADIUS tries to use OpenSSL, and then bad things happen.
Drop the crappy RedHat packages, and go with working ones. See our web site for more details:
https://networkradius.com/packages/
Alan DeKok.
More information about the Freeradius-Users
mailing list