LDAPS - where to start from?
little-nemo at virgilio.it
little-nemo at virgilio.it
Thu Sep 14 11:22:26 UTC 2023
> Il 13/09/2023 13:45 CEST Alan DeKok <aland at deployingradius.com> ha scritto:
> The rlm_ldap module talks to the LDAP server via libldap. i.e. FreeRADIUS asks libldap to contact, the LDAP server, and libldap says "no".
>
Thanks Alan, your explaination led me to: "... ldapsearch is linked to GnuTLS and not OpenSSL..." (reference: https://kb.checkmk.com/pages/viewpage.action?pageId=17471579)
> One thing which might help is to read mods-available/ldap, and look at the "ldap_debug" flag.
Thanks, good clue!
The full libldap debug revealed some unexpected errors and this one led me to the solution (or at least to a workaround):
...TLS: peer cert untrusted or revoked (0x42)
What I'm guessing is:
1- ldapsearch uses the debian certificates store, then it finds our internal CA root Certificate there, and it can trust the LDAP Server Certificate
2- libldap does not use the system certificates Store by default (does freeradius let set/send any parameter to overcome this behaviour?).
The workaround I applied:
expliciting, in mods-enabled/ldap, tls section:
ca_file = /usr/share/ca-certificates/mozilla/ADCArootCert.crt
My question:
Given that the tls section states:
"# The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections",
BUT I'm using LDAPS, should I fear random, unforeseeable behaviour from freeradius? Hm... rethinking it, if the "behaviour" comes from libldap it's possible that you are not able to know it for sure.
> > Checked: "-h" does not exist in ldapsearch 2.5.13
>
> Well, we didn't write ldapsearch, and they don't notify us when their tools change.
Of course, please just take my note as a suggestion to improve the documentation.
Thanks again, Pietro.
More information about the Freeradius-Users
mailing list