Bug 287381 - rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: freeradius (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
Depends On:
  Show dependency treegraph
Reported: 2007-09-12 05:11 EDT by Alain RICHARD
Modified: 2013-04-15 04:52 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-15 11:12:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alain RICHARD 2007-09-12 05:11:59 EDT
Description of problem:

Using freeradius-1.1.3-1.2.el5 and configuring it to access to an ldap database, I get the following 
error in the /var/log/radius/radius.log file :

Wed Sep 12 10:59:22 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to 
Wed Sep 12 10:59:22 2007 : Auth: Login OK: [nagios] (from client justine port 0)

This is a non fatal error (the authentification succeeds) but is anoying as it is present on each radius 

Version-Release number of selected component (if applicable):

freeradius-1.1.3-1.2.el5 and its module rlm_ldap.

How reproducible:

configure an ldap server for radius authorize/authentification.

the problem is linked with the tls_require_cert ldap option in radius.conf for ldap module. Specifying 
any valid option or omitting completly the option gives the same error.
Actual results:

The tls_require_cert option is not set in the ldap session and returns the error in the error log. If you 
don't need this option, this is not fatal.

Expected results:

should set the tls_require_cert option on the ldap session and do not return any error in the error log.

Additional info:

I have tracked this problem in the freeradius 1.1.3 code :

[root@sol BUILD]# grep -n LDAP_OPT_X_TLS_REQUIRE_CERT freeradius-1.1.3/src/modules/rlm_ldap/
2026:   if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,

this option is not settable with ldap_set_option() function, but with ldap_int_tls_config() function in 
openldap API.

This has been corrected in the current freeradius-1.1.7 source code :

[root@sol BUILD]# grep -n LDAP_OPT_X_TLS_REQUIRE_CERT freeradius-1.1.7/src/modules/rlm_ldap/
2211:   if ( ldap_int_tls_config( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,

So a simple fix to this problem is to upgrade the current freeradius 1.1.7 code.
Comment 1 Red Hat Bugzilla 2007-09-17 01:21:53 EDT
transferred from Thomas Woerner to John Dennis, requested by Steve Grubb.
Comment 5 John Dennis 2008-09-22 17:35:34 EDT
For some reason the freeradius-1.1.3-ldap.patch in our srpm incorrectly changed 
ldap_int_tls_config() to ldap_set_option(), this reverts the incorrect patch
so that we're calling ldap_int_tls_config() like we should be.

Should appear in freeradius-1.1.3-1.4
Comment 6 John Dennis 2008-09-22 18:23:28 EDT
Here is some follow-up information relevant to this issue I just learned.

The behaviour of openldap changed around the openldap version 2.1 time frame with respect to this option. It might have previously been settable with ldap_set_option(), but it is no longer. From conversations it seems as if openldap decided this should be a library configurable option set via the ldap configuration file (see man ldap.config(5)) and it shouldn't be a per application option. The fact it's now only settable via ldap_int_tls_config() is the clue, ldap_int*() functions are library "internal" functions (hence the "int" in the name). It's not meant to be called by applications even though it's symbol is visible in the library.

Thus when freeradius called ldap_set_option() to change the value of LDAP_OPT_X_TLS_REQUIRE_CERT the library correctly responded it could not be set. The fundamental problem is that rlm_ldap should not be exposing this configuration option because it shouldn't be changing it.

But we're between a rock and a hard place on this one. rlm_ldap does in fact expose this, even if it shouldn't, and we can link against the entry point to set it (even if we shouldn't be able to) so it seems like the path of least problems is to allow rlm_ldap to set the option using a back door. Maybe in the current ldap source we can get the option removed from rlm_ldap ...
Comment 10 errata-xmlrpc 2008-10-15 11:12:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.