I've two ldaps backends instantiated like:
authorize {
...
Autz-Type OPENLDAP {
openldap
}
Autz-Type ADLDAP {
adldap
}
...
}
authenticate {
...
Auth-Type OPENLDAP {
openldap
}
Auth-Type ADLDAP {
adldap
}
...
}
The two modules are configured as follows using DIFFERENT issuing CAs...
ldap adldap {
server = "ldaps://myAD.ds.units.it"
identity = ...
password = ...
basedn = ...
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
cacertfile = /usr/local/etc/raddb/.../certs/ad_root_ca.pem
require_cert = "demand"
}
...
}
ldap openldap {
server = "ldaps://myopenldap.units.it"
identity = ...
password = ...
basedn = ...
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 5
timelimit = 5
net_timeout = 10
tls {
start_tls = no
cacertfile = /etc/ssl/certs/AddTrust_External_Root.pem
require_cert = "demand"
}
...
}
Now, the problem is that once I started freeradius, the first connection
to an ldap server goes straight, while the second (to the other one) says:
ldap_create
ldap_url_parse_ext(ldaps://myAD.ds.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myAD.ds.units.it:636
ldap_new_socket: 32
ldap_prepare_socket: 32
ldap_connect_to_host: Trying yyy.yyy.yyy.yyy:636
ldap_pvt_connect: fd: 32 tm: 1 async: 0
ldap_ndelay_on: 32
ldap_int_poll: fd: 32 tm: 1
ldap_is_sock_ready: 32
ldap_ndelay_off: 32
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
...and letting the first request to be to the myAD server (soon after a
restart):
ldap_create
ldap_url_parse_ext(ldaps://myopenldap.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myopenldap.units.it:636
ldap_new_socket: 33
ldap_prepare_socket: 33
ldap_connect_to_host: Trying xxx.xxx.xxx.xxx:636
ldap_pvt_connect: fd: 33 tm: 10 async: 0
ldap_ndelay_on: 33
ldap_int_poll: fd: 33 tm: 10
ldap_is_sock_ready: 33
ldap_ndelay_off: 33
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
I suspect the "cacertfile" attribute is not correctly re-instantiated
and only the value of the first request is used to check against when
instantiating a new ldaps connection.
Any suggestions?
--
Daniele ALBRIZIO - [email protected]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
