Bug 1992551
| Summary: | freeradius with ldap module failed to start (TLS: can't accept: (unknown)) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Filip Dvorak <fdvorak> |
| Component: | freeradius | Assignee: | Antonio Torres <antorres> |
| Status: | CLOSED ERRATA | QA Contact: | Filip Dvorak <fdvorak> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | fdvorak, nikolai.kondrashov |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | freeradius-3.0.21-25.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 12:40:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: freeradius), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2371 |
Description of problem: If the Freeradius is configured to authenticate users via LDAP and TLS (with rlm_ldap module) it fails to start due to the following error on RHEL9: ... TLS trace: SSL_accept:error in TLSv1.3 early data TLS: can't accept: (unknown). ... Version-Release number of selected component (if applicable): freeradius-3.0.21-18.el9.x86_64 RHEL-9.0.0-20210725.3 openldap-servers-2.4.57-7.el9.x86_64 OpenSSL 3.0.0-beta1 17 Jun 2021 (Library: OpenSSL 3.0.0-beta1 17 Jun 2021) Steps to Reproduce: 1. Configure openldap server with certificates and check if it is possible to do ldapsearch via TLS. ldapsearch -H ldaps://dell-per430-27.gsslab.pek2.redhat.com -x '*' (slapd.conf was attached) TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/certs/ca.pem TLSCertificateFile /etc/openldap/certs/server-cert.pem TLSCertificateKeyFile /etc/openldap/certs/server-key.pem TLSVerifyClient demand 2. Install FR, generate def. certificates and configure FR to use ldap module. 3. Add attached certificates into tls section in /etc/radd/mods-available/ldap ... tls { ca_file = "/etc/raddb/certs/ldap-server-ca.pem" certificate_file = "/etc/raddb/certs/ldap-client-cert.pem" private_key_file = "/etc/raddb/certs/ldap-client-key.pem" start_tls = no require_cert = "allow" ... 4. radiusd -X Actual results: ... lm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://$(hostname):636 61139ce8 slap_listener_activate(8): 61139ce8 >>> slap_listener(ldaps:///) 61139ce8 connection_get(18): got connid=1011 rlm_ldap (ldap): Waiting for bind result... 61139ce8 connection_read(18): checking for input on id=1011 rlm_ldap (ldap): Bind with (anonymous) to ldap://hostname:636 failed: Server is busy TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:before SSL initialization rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap" Expected results: radiusd should start Additional info: - used certificates were attached - output from radiusd -X was attached - output from slapd -d3 was attached - this scenario works on RHEL8.5 - to reproduce this issue run TCMS test "freeradius-Sanity-freeradius-openldap-auth-test" - legacy openssl provider was used Providers: default name: OpenSSL Default Provider version: 3.0.0 status: active legacy name: OpenSSL Legacy Provider version: 3.0.0 status: active