Debugmode together with Kerberos

Sun Oct 29 14:36:07 UTC 2023

Hi everybody,

I have configured freeradius to use gssapi for authentication while 
searching the LDAP for users or hosts. Now I can't start the debugmode 
anymore. Everytime I try I'm getting:
----------
rlm_ldap (ldap): Connecting to ldaps://ldap-r01.example.net:636 
ldaps://ldap-r02.example.net:636
rlm_ldap (ldap): Starting SASL mech(s): gssapi
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to 
ldaps://ldap-r01.example.net:636 ldaps://ldap-r02.example.net:636 
failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for 
module "ldap"

----------

The log from the LDAP-server is showing:
----------
Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 ACCEPT from 
IP=192.168.56.47:34490 (IP=0.0.0.0:636)
Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 TLS established 
tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 op=0 UNBIND
Okt 29 15:27:27 ldap-r01 slapd[620]: conn=1024 fd=26 closed
----------

Running freeradius normal I can search for a user end check 
authentication with username and password
--------------------
root at radius-r01:~# radtest u1-verw geheim 192.168.56.47 1812 Passw0rd
Sent Access-Request Id 143 from 0.0.0.0:34828 to 192.168.56.47:1812 
length 77
         User-Name = "u1-verw"
         User-Password = "geheim"
         NAS-IP-Address = 192.168.56.47
         NAS-Port = 1812
         Message-Authenticator = 0x00
         Cleartext-Password = "geheim"
Received Access-Accept Id 143 from 192.168.56.47:1812 to 
192.168.56.47:34828 length 20
--------------------

The logfile for m my LDAP-Server is showing:
----------
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 BIND dn="" method=163
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 BIND 
authcid="radius/radius-r01.example.net" 
authzid="radius/radius-r01.example.net"
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 BIND 
dn="uid=radius/radius-r01.example.net,cn=gssapi,cn=auth" mech=GSSAPI 
bind_ssf=56 ssf=256
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1031 op=2 RESULT tag=97 err=0 
qtime=0.000006 etime=0.000187 text=
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 BIND anonymous 
mech=implicit bind_ssf=0 ssf=256
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 BIND dn="cn=u1 
Verw,ou=users,ou=Verwaltung,dc=example,dc=net" method=128
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 BIND dn="cn=u1 
Verw,ou=users,ou=Verwaltung,dc=example,dc=net" mech=SIMPLE bind_ssf=0 
ssf=256
Okt 29 15:30:29 ldap-r01 slapd[620]: conn=1026 op=3 RESULT tag=97 err=0 
qtime=0.000007 etime=0.006275 text=
----------

So as you can see, authentication via Kerberos for the search and 
authentication of users is working.

To do the next step, switch to user-authentication via certificate, I 
want to start the debugmode, but I could not figure out how to get the 
debugmode running with Kerberos authentication :-(
Is there a way to get it running?

Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20231029/06895129/attachment.bin>