FreeRADIUS - Google LDAP - Error in debug mode - Regarding

Alan DeKok aland at
Sat Oct 16 22:06:43 CEST 2021

On Oct 16, 2021, at 5:06 AM, Thirunavukkarasu Palanisamy <drthiruna at> wrote:
> It was working fine, but recently I am facing an issue that the FreeRADIUS
> server processes the request only in debug mode. That is, it is accepting
> the request when the server is running in debug mode.

  You've said that already... there's no need to repeat yourself.

> The following are the few warning messages I noticed in the debug output.

  Entirely unrelated to the problem.

> *TLSMC: MozNSS compatibility interception begins.tlsmc_convert: INFO:
> cannot open the NSS DB, expecting PEM configuration is
> present.tlsmc_intercept_initialization: INFO: successfully intercepted TLS
> initialization. Continuing with OpenSSL only.TLSMC: MozNSS compatibility
> interception ends.TLS certificate verification: Error, unable to get local
> issuer certificate*

  That *is* an issue.  You should drop the FreeRADIUS packages you're using, and use the *working* packages (and LDAP libraries) discussed on

  Some OS distributions break FreeRADIUS, and it's up to us to fix them.

  As for the underlying issue you're seeing.  It's really simple: It's not a FreeRADIUS issue.  It's an Operating System permissions issue.

  You're probably running the server in debug mode as "root", and then running it in daemon mode as user "radiusd".  If some of the configuration files are owned and readable only by "root", then the server won't be able to read them in daemon mode.

  And again, this issue doesn't happen in the default configuration.  If you can't figure it out, throw away everything you've done, and install the packages from

  Make sure it runs in debug mode and daemon mode.  Then make ONE change.  Test it in debug mode and daemon mode.  If it works, save a copy of the configuration (e.g. using "git").  If it doesn't work, then that change broke the server.  Repeat until you have a final working configuration.

  All of this process is documented EXTENSIVELY in the server.  See "man radiusd" for one.  We really don't recommend making 1000 changes to the configuration all at once, because most of the time it won't work.

  Take a slow, methodical approach, and it will be FASTER than trying to be "fast" by making a bunch of random changes you don't really understand.

  Alan DeKok.

More information about the Freeradius-Users mailing list