Actions
Regression #16261
open
RADIUS connection to upstream LDAP server cannot be setup over TLS
Status:
New
Priority:
High
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
2.8.0
Affected Plus Version:
Affected Architecture:
All
Description
After upgrading from 2.7.x to 2.8.0, radiusd did not start with these errors:
Jun 12 15:02:37 radiusd 581 /usr/local/etc/raddb/mods-enabled/ldap[1]: Invalid configuration for module "ldap" Jun 12 15:02:37 radiusd 581 /usr/local/etc/raddb/mods-enabled/ldap[29]: Failed parsing configuration item "certificate_file" Jun 12 15:02:37 radiusd 581 Unable to check file "/usr/local/etc/raddb/certs/radius_ldap1_cert.crt": No such file or directory
Luckily (sic), I can disable TLS handling and get RADIUS connectivity from the radiusd daemon to our LDAP server; but that's not OK.
No toggle of TLS settings (or setting the certificate to the correct root CA certificate) has helped; and this worked fine in 2.7.0.
Updated by Didier Raboud 3 months ago
After further investigation, it looks like the LDAP TLS configuration gets generated as follows:
tls {
start_tls = no
ca_file = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
ca_path = /usr/local/etc/raddb/certs/
certificate_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
private_key_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.key
random_file = /dev/urandom
require_cert = "demand"
}
But
certificate_file and private_key_file should not be setup. "touch" ing these files on the servers gets the server started, but the TLS connection is still broken.
Actions