LDAPS - where to start from?

Alan DeKok aland at deployingradius.com
Tue Sep 12 11:50:30 UTC 2023

On Sep 12, 2023, at 6:04 AM, Pietro N. via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Trying to setup LDAP filtering.
> To get an idea on how to do it, I read the tread "LDAP groups and how to filter" (https://lists.freeradius.org/pipermail/freeradius-users/2020-February/097430.html)
> Is it still up to date? Is it a feasible solution?

  It's a mailing list post, so it's not updated.  But it is correct.

  It's a good solution for solving the problem which is explained in the post.  If you want to do something else, you'll need a different solution

> I'm still not understanding if this solution also requires the memberof/membership settings in the mods-available/ldap module. Does it?

  Yes.  See the documentation in the mods-available/ldap file.  All of this is explained.

> Now my main concern is the LDAPS binding, which is not working.
> Debug last rows:
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://dc1.testuni.it:636
> rlm_ldap (ldap): Bind with CN=reader-freeradius,OU=ServiceUsers,OU=ServicePeople,DC=testuni,DC=it to ldaps://dc1.testuni.it:636 failed: Can't contact LDAP server

  This error is "can't contact", not "LDAP server rejected the authentication".

  Something is blocking the network connection between FreeRADIUS and the LDAP server.  Find out what that is, and fix it.

> I tried to bind, manually, using the general command:
> ldapsearch -D ${identity} -w ${password} -H ${server} -b 'CN=user,${base_dn}'
> and it worked.

  Does it use the same port?

> In mods-available/ldap, at line 77, I read the suggestion:
> ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
> which did not work (the "-h" parameter is not supported anymore?).

  Ask the people who wrote ldapsearch.

  Or, read it's documentation.  -H is for the LDAP URI.  -h is for the hostname. 

> I don't think that this is the exact command used by freeradius, so the cause is elsewhere, likely in my configuration files.
> What am I supposed to check?

  The network. Firewalls, etc.

> Do you need the full debug?

  Not this time.

  Alan DeKok.

More information about the Freeradius-Users mailing list