Hmmm . . . I feel like I'm talking to myself here - but this is a
problem that may need some attention.  This issue will be more pertinent
I think if people begin to use later versions of openldap not only as
collocated servers but simply to supply the liblber and other ldap
libraries to allow freeradius to authenticate via ldap.  If what I've
witnessed and tested several times is proven out, freeradius will not
work (that is, will not perform correct ldap authentication) with
certain versions of openldap libraries.  I have tested with
openldap-2.1.12 which does work and with openldap-2.1.16 which does not.
I have not tested with versions in between.

Can anyone confirm this from their own experience?  Is there something
simple I'm missing that might explain and offer a solution (besides, of
course, not using openldap-2.1.16)?

Mike


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Denka
Sent: Wednesday, March 26, 2003 3:50 PM
To: [EMAIL PROTECTED]
Subject: RE: rlm_ldap issues

After more research, I found that I could only get radius to work by
manually removing all the libraries from openldap-2.1.16 and rebuilding
an earlier release (in my case, I used 2.1.12)  Just rebuilding and
reinstalling the two programs didn't work, as I said in my first post,
so some residual components of 2.1.16 are left intact and used by
freeradius even if an earlier version of ldap is reinstalled.

One might object to my posting this thread on the freeradius list rather
than the openldap list, and that objection has merit.  But I'd really
like to get the opinions of the freeradius gurus about what might be
causing this hostility between freeradius and the latest openldap.  In
any case, this may serve as a cautionary tale for anyone planning to
upgrade to the latest openldap ON THE SAME SERVER that is running
freeradius.  (Also a cautionary tale for anyone wondering whether it's a
good idea to run two major production services on the same server).

I'm also curious - is anyone else successfully running openldap-2.1.16
on the same server as freeradius-0.8.1?  Perhaps I'm overlooking
something?

Mike


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Denka
Sent: Wednesday, March 26, 2003 7:49 AM
To: [EMAIL PROTECTED]
Subject: rlm_ldap issues


This morning I upgraded my ldap server to the latest revision (from
openldap-2.1.12 to openldap-2.1.16).  Then restarted radius (freeradius
v 0.8.1) and was surprised by a slew of errors in my radius.log file.
They were:

"Error: rlm_ldap: All ldap connections are in use"

and 

"Error: Dropping packet from client evrt1-1:1645 - ID: 32 due to dead
request 933"

Of course, no one could authenticate.

Next I ran radius in debug mode, but as soon as a connection was
requested, the radius server died trying to authenticate the first user.
The failed authentication ended with the following output from radiusd
-X:

.
.
.
rad_lowerpair: User-Name now 'mollybe'
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mollybe
radius_xlat: '(uid=mollybe)'
radius_xlat: 'ou=people,dc=winsome,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=winsome,dc=com/secretpassword to
127.0.0.1:389
rlm_ldap:waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=winsome,dc=com, with filter
(uid=mollybe)
/usr/local/sbin/radiusd: relocation error:
/usr/local/lib/rlm_ldap-0.8.1.so: undefined symbol: ldap_enable_cache

Unable to determine the exact nature of the errors, I decided to go back
to the previous version of LDAP to undo what I had done.  However, after
reinstalling the previous version of LDAP, the same problem with radius
persisted.  Since it appeared that there was a library problem in
rlm_ldap-0.8.1, I rebuilt freeradius from scratch.  Still, the same
errors persisted.  Now, as a temporary measure I have had to go back to
the passwd and shadow files to allow customer access.  But this is not a
solution.  Please lend assistance if you can.

Thanks very much,

Mike


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to