Hmmm . . . I feel like I'm talking to myself here - but this is a problem that may need some attention. This issue will be more pertinent I think if people begin to use later versions of openldap not only as collocated servers but simply to supply the liblber and other ldap libraries to allow freeradius to authenticate via ldap. If what I've witnessed and tested several times is proven out, freeradius will not work (that is, will not perform correct ldap authentication) with certain versions of openldap libraries. I have tested with openldap-2.1.12 which does work and with openldap-2.1.16 which does not. I have not tested with versions in between.
Can anyone confirm this from their own experience? Is there something simple I'm missing that might explain and offer a solution (besides, of course, not using openldap-2.1.16)? Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Denka Sent: Wednesday, March 26, 2003 3:50 PM To: [EMAIL PROTECTED] Subject: RE: rlm_ldap issues After more research, I found that I could only get radius to work by manually removing all the libraries from openldap-2.1.16 and rebuilding an earlier release (in my case, I used 2.1.12) Just rebuilding and reinstalling the two programs didn't work, as I said in my first post, so some residual components of 2.1.16 are left intact and used by freeradius even if an earlier version of ldap is reinstalled. One might object to my posting this thread on the freeradius list rather than the openldap list, and that objection has merit. But I'd really like to get the opinions of the freeradius gurus about what might be causing this hostility between freeradius and the latest openldap. In any case, this may serve as a cautionary tale for anyone planning to upgrade to the latest openldap ON THE SAME SERVER that is running freeradius. (Also a cautionary tale for anyone wondering whether it's a good idea to run two major production services on the same server). I'm also curious - is anyone else successfully running openldap-2.1.16 on the same server as freeradius-0.8.1? Perhaps I'm overlooking something? Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Denka Sent: Wednesday, March 26, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: rlm_ldap issues This morning I upgraded my ldap server to the latest revision (from openldap-2.1.12 to openldap-2.1.16). Then restarted radius (freeradius v 0.8.1) and was surprised by a slew of errors in my radius.log file. They were: "Error: rlm_ldap: All ldap connections are in use" and "Error: Dropping packet from client evrt1-1:1645 - ID: 32 due to dead request 933" Of course, no one could authenticate. Next I ran radius in debug mode, but as soon as a connection was requested, the radius server died trying to authenticate the first user. The failed authentication ended with the following output from radiusd -X: . . . rad_lowerpair: User-Name now 'mollybe' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for mollybe radius_xlat: '(uid=mollybe)' radius_xlat: 'ou=people,dc=winsome,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=winsome,dc=com/secretpassword to 127.0.0.1:389 rlm_ldap:waiting for bind result ... rlm_ldap: performing search in ou=people,dc=winsome,dc=com, with filter (uid=mollybe) /usr/local/sbin/radiusd: relocation error: /usr/local/lib/rlm_ldap-0.8.1.so: undefined symbol: ldap_enable_cache Unable to determine the exact nature of the errors, I decided to go back to the previous version of LDAP to undo what I had done. However, after reinstalling the previous version of LDAP, the same problem with radius persisted. Since it appeared that there was a library problem in rlm_ldap-0.8.1, I rebuilt freeradius from scratch. Still, the same errors persisted. Now, as a temporary measure I have had to go back to the passwd and shadow files to allow customer access. But this is not a solution. Please lend assistance if you can. Thanks very much, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
