LDAP with TLS doesn't start.
What's wrong with my configuration? Or is it a problem of my LDAP-Server?
rlm_ldap with "start_tls=no" works fine!
I have the latest FreeRadius version,
OpenSSL 0.9.6b and
OpenLDAP 2.0.11
Thx for solutions!
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = yes
main: log_stripped_names = yes
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: bind_address = 192.168.10.130 IP address [192.168.10.130]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
...
Module: Loaded LDAP
ldap: server = "192.168.10.230"
ldap: port = 389
ldap: net_timeout = 10
ldap: timeout = 20
ldap: timelimit = 20
ldap: ldap_cache_timeout = 0
ldap: ldap_cache_size = 0
ldap: identity = "CN=LDAP-Proxy,OU=CW,OU=KIP,O=DE"
ldap: start_tls = yes
ldap: password = ""
ldap: basedn = "OU=CW,OU=KIP,O=DE"
ldap: filter = "(givenName=%{Stripped-User-Name:-%{User-Name}})"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: access_group = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: dictionary_mapping = "/usr/local/radius/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/radius/etc/raddb/ldap.attrmap
...
conns: 0x80c3140
Module: Instantiated ldap (nds_ldap)
...
rad_recv: Access-Request packet from host 192.168.10.130:1050, id=30, length=54
Thread 1 assigned request 0
Thread 1 handling request 0, (1 handled so far)
User-Name = "peter"
User-Password = "\221Z\217PO#\304\372\251q\202j\356\365\232("
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "2"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched DEFAULT at 7
modcall[authorize]: module "files" returns ok
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type NDS_LDAP
auth: type "NDS_LDAP"
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: login attempt by "peter" with password "upn"
radius_xlat: '(givenName=peter)'
radius_xlat: 'OU=CW,OU=KIP,O=DE'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.10.230:389, authentication 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do. Sleeping until we see a request.
rlm_ldap: setting TLS mode to 4
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Criticial extension is unavailable
rlm_ldap: (re)connection attempt failed
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "nds_ldap" returns fail
modcall: group authtype returns fail
auth: Failed to validate the user.
Login incorrect: [peter/upn] (from client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
