LDAPS Unknown error from LDAP module
Grosjean Cyril
cygrosjean+freeradius at gmail.com
Mon Mar 27 18:03:46 UTC 2023
Hello,
I’m using Freeradius 3.2.1 and with a standard config connected to an LDAPS
server, some requests (bind as admin, search/bind as user/…) are currently
finishing with those kind of errors :
Tue Mar 14 03:08:56 2023 : Auth: (43138) Login incorrect (ldap: Failed
performing search: Unknown error): [user at domain] (from client XXX port 0
via TLS tunnel)
Tue Mar 14 03:30:24 2023 : Auth: (43714) Login incorrect (ldap: Bind with
uid=serviceaccount,dc=subdomain,dc=com to ldaps://server:636
<mimestream://server:636> failed: Unknown error): [user at domain] (from
client XXX port 0 via TLS tunnel)
I can see something like 3 to 5% of requests being made and finishing as
“Unknown error”.
1/ Can you confirm that the “Unknown error” is from the LDAP response and
not Freeradius ? Can we have more information about status code of the
response ?
I’m seeing here two occurences of “Unknown error” in the ldap module
(ldap.c) but I can’t get more information, and it is hard for me to
activate debug that show Radius attribute in stdout (as some of them are
sensitive).
2/ Can I activate more debug on thoses errors to get the bottom of it ? Do
you have any insight to help me get more information ?
Here is my LDAP config :
ldap {
server = 'ldaps://serverldap.com'
port = 636
identity = 'uid=serviceaccount,dc=subdomain,dc=com'
password = ‘password'
base_dn = 'dc=subdomain,dc=com'
update {
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user_dn = "LDAP-UserDn"
user {
base_dn = "ou=users,${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" }
group {
base_dn = "ou=groups,${..base_dn}"
filter = '(objectClass=posixGroup)'
name_attribute = cn
membership_attribute = 'memberOf'
cacheable_name = 'no'
cacheable_db = 'no'
}
profile {
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = no
rebind = yes
res_timeout = 20
srv_timelimit = 3
net_timeout = 10
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0000
}
tls {
require_cert = 'allow'
tls_min_version = "1.2"
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
Thanks,
Cyril
More information about the Freeradius-Users
mailing list