LDAPS - where to start from?

Alan DeKok aland at deployingradius.com
Wed Sep 13 11:45:02 UTC 2023


On Sep 13, 2023, at 5:56 AM, Pietro N. via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> The LDAP server receives TCP and TLS1.2 exchange packets with the freeradius server.
> The last packet label, from the LDAP server is :
> ..."636 → 44698 [RST, ACK] Seq=2280 Ack=726 Win=0 Len=0"
> 
> I can't see a network or firewall problem.

  That's good, but it's still not a FreeRADIUS issue.

  The rlm_ldap module talks to the LDAP server via libldap.  i.e. FreeRADIUS asks libldap to contact, the LDAP server, and libldap says "no".

  When you see the message:

rlm_ldap (ldap): Bind with CN=reader-freeradius,OU=ServiceUsers,OU=ServicePeople,DC=testuni,DC=it to ldaps://dc1.testuni.it:636 failed: Can't contact LDAP server

  The "Can't contact LDAP server" text comes from libldap.  It doesn't appear anywhere in the FreeRADIUS source code.  So the reason *why* it can't contact the LDAP server is magic, and is buried in the libldap code.

  One thing which might help is to read mods-available/ldap, and look at the "ldap_debug" flag.  You can set various debugging flags which get passed to libldap, and then libldap produces more debug messages.  Maybe something there is useful.

  But in the end, we didn't write libldap, and we're not on your network.  So it's fairly hard to know what's going on.

> Checked: "-h" does not exist in ldapsearch 2.5.13

  Well, we didn't write ldapsearch, and they don't notify us when their tools change.

> Weeks ago, other tests with an older ldapsearch (and older debian), using "-h" and port 389, were not relevant, because our LDAP server rejects non-secure LDAP connections.
> Could this be the issue? Does rlm_ldap need port 389 to accept/reply I-dont-know-what before using 636?

  No.  If FreeRADIUS prints out that it's using port 636, then it's using port 636.

> https://wiki.freeradius.org/modules/rlm_ldap#errors-with-ldap-over-tls-connections suggests to check for: "... probably using a version of libldap that has been built with NSS ..."
> I'm not using Red Hat, should I check as well? 

  No.

  Alan DeKok.



More information about the Freeradius-Users mailing list