Re: ldap tls in freeradius

Sun, 06 Nov 2011 01:57:43 -0800 

On 11/06/2011 09:04 AM, Frank Skovboel wrote:

Hi,

I'm trying to authorize users in different AD's (2003 and 2008), but I
keep running into an error I can't find any thing on when I google it.

For the purpose of the testing I have set the following in the ldap
section: require_cert

Freeradius tries to connect to the ldap server (2008), the connection
fails and I get the following debug output.

============================ DEBUG =======================================
[ldap_CustA] performing user authorization for MyAccount
[ldap_CustA] expand: (&(sAMAccountName=%{User-Name})) ->
(&(sAMAccountName=MyAccount))
[ldap_CustA] expand: ou=OU1,ou=OU2,dc=domain,dc=local ->
ou=OU1,ou=OU2,dc=domain,dc=local
[ldap_CustA] ldap_get_conn: Checking Id: 0
[ldap_CustA] ldap_get_conn: Got Id: 0
[ldap_CustA] attempting LDAP reconnection
[ldap_CustA] (re)connect to AD-IP-ADDRESS:636, authentication 0
[ldap_CustA] setting TLS mode to 1
[ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem
[ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/
[ldap_CustA] setting TLS Require Cert to never
[ldap_CustA] setting TLS Cert File to /etc/raddb/certs/server.crt
[ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key
[ldap_CustA] setting TLS Key File to /etc/raddb/certs/random
This is a logging bug in FreeRADIUS; the code seems to have been copy & pasted. It *is* setting the randfile option, but it's logging the wrong thing (key file). It can be ignored. 


[ldap_CustA] bind as user@domain.local/PASSWORD to 193.47.81.75:636
TLS: could not add the certificate PEM Token #0:server.crt - 0 - error
-8192:Unknown code ___f 0.
TLS: error: could not initialize moznss security context - error
-8192:Unknown code ___f 0


Well that's a new one on me.
Which version of FreeRADIUS are you using, on which OS? Which LDAP libraries are you linking against?
I'm guessing you're on a RedHat based system, judging from the fact the LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under the hood?
Where did "server.crt" come from? I presume it's a copy of the LDAP server cert, signed by the CA in "ca.pem"? Do you need it? You can probably just give the CA cert, for a connection to an LDAP server. 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to