LDAPS - where to start from?

little-nemo at virgilio.it little-nemo at virgilio.it
Tue Sep 12 10:04:11 UTC 2023

Hello, members.
I followed the upgrading suggestion. Now working on Freeradius 3.2.1 (on Debian 11.5).
I'm also using some personalized templates of the Eduroam/GARR consortium.
Trying to setup LDAP filtering.
To get an idea on how to do it, I read the tread "LDAP groups and how to filter" (https://lists.freeradius.org/pipermail/freeradius-users/2020-February/097430.html)
Is it still up to date? Is it a feasible solution?
I'm still not understanding if this solution also requires the memberof/membership settings in the mods-available/ldap module. Does it?
Now my main concern is the LDAPS binding, which is not working.
Debug last rows:
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldaps://dc1.testuni.it:636
rlm_ldap (ldap): Bind with CN=reader-freeradius,OU=ServiceUsers,OU=ServicePeople,DC=testuni,DC=it to ldaps://dc1.testuni.it:636 failed: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
I tried to bind, manually, using the general command:
ldapsearch -D ${identity} -w ${password} -H ${server} -b 'CN=user,${base_dn}'
and it worked.
In mods-available/ldap, at line 77, I read the suggestion:
ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
which did not work (the "-h" parameter is not supported anymore?).
I don't think that this is the exact command used by freeradius, so the cause is elsewhere, likely in my configuration files.
What am I supposed to check?
Do you need the full debug?

Thanks in advance,


More information about the Freeradius-Users mailing list