New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Module: problem with starttls #481
Comments
Ok, just to let you know i've reproduced this locally:
Took a while because OpenLDAP kept crashing on:
nice... |
OK Fixed by #1e4ea8800cab78272ce3a7d1855e49d56db95263 I also fixed libldap debug output, apparently that option needs to be set in the global context (also not documented). When using per connection handle TLS contexts they need to be set after all the TLS configuration options, which is slightly counter intuitive. Note that this was not mentioned anywhere in the libldap documentation, I just discovered it by trial and error. Anyway, if you use the latest version of either of the branches it should now work. |
Hello Arran,
Error from debug output: When I comment out the mappings radiusd runs fine and can connect to ldap via starttls, yeah! Regards, |
FR3: starttls problem with ldap module
Environment:
Machine1:
Machine2:
Machine3:
The OpenLDAP Servers on all machines uses certificates issued from the same CA (used for syncrepl over TLS). For certificate verification the same CA certificate file is used.
Problem description:
On machine 2 FR3 can't connect to ldap server via starttls. The TLS handshake fails with error message "Unknown CA (48)".
But the TLS handshake succeeds for openldap operations for syncrepl purposes, for ldap client utilities as well as the ldap module connect of the FreeRADIUS Server 2.1.12 on Machine3.
I have configured the FR ldap module on Machine3 to connect to the ldap server on Machine2 and this succeeds as well. This let me assume that my certificates are set up properly and the problem might be related to the ldap module of FR3.
Please let me know if more information is needed. I have created one packet trace which shows the errror mentioned above as well as one packet trace with a successful connect from FR2 on Machine3 to OpenLDAP on Machine2. I would prefer to send this privately to you, if needed. Github only allows images.
Kind regards,
Tobias Hachmer
The text was updated successfully, but these errors were encountered: