Red Hat Bugzilla – Bug 287381
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Last modified: 2013-04-15 04:52:17 EDT
Description of problem:
Using freeradius-1.1.3-1.2.el5 and configuring it to access to an ldap database, I get the following
error in the /var/log/radius/radius.log file :
Wed Sep 12 10:59:22 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to
Wed Sep 12 10:59:22 2007 : Auth: Login OK: [nagios] (from client justine port 0)
This is a non fatal error (the authentification succeeds) but is anoying as it is present on each radius
Version-Release number of selected component (if applicable):
freeradius-1.1.3-1.2.el5 and its module rlm_ldap.
configure an ldap server for radius authorize/authentification.
the problem is linked with the tls_require_cert ldap option in radius.conf for ldap module. Specifying
any valid option or omitting completly the option gives the same error.
The tls_require_cert option is not set in the ldap session and returns the error in the error log. If you
don't need this option, this is not fatal.
should set the tls_require_cert option on the ldap session and do not return any error in the error log.
I have tracked this problem in the freeradius 1.1.3 code :
[root@sol BUILD]# grep -n LDAP_OPT_X_TLS_REQUIRE_CERT freeradius-1.1.3/src/modules/rlm_ldap/
2026: if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
this option is not settable with ldap_set_option() function, but with ldap_int_tls_config() function in
This has been corrected in the current freeradius-1.1.7 source code :
[root@sol BUILD]# grep -n LDAP_OPT_X_TLS_REQUIRE_CERT freeradius-1.1.7/src/modules/rlm_ldap/
2211: if ( ldap_int_tls_config( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
So a simple fix to this problem is to upgrade the current freeradius 1.1.7 code.
transferred from Thomas Woerner to John Dennis, requested by Steve Grubb.
For some reason the freeradius-1.1.3-ldap.patch in our srpm incorrectly changed
ldap_int_tls_config() to ldap_set_option(), this reverts the incorrect patch
so that we're calling ldap_int_tls_config() like we should be.
Should appear in freeradius-1.1.3-1.4
Here is some follow-up information relevant to this issue I just learned.
The behaviour of openldap changed around the openldap version 2.1 time frame with respect to this option. It might have previously been settable with ldap_set_option(), but it is no longer. From conversations it seems as if openldap decided this should be a library configurable option set via the ldap configuration file (see man ldap.config(5)) and it shouldn't be a per application option. The fact it's now only settable via ldap_int_tls_config() is the clue, ldap_int*() functions are library "internal" functions (hence the "int" in the name). It's not meant to be called by applications even though it's symbol is visible in the library.
Thus when freeradius called ldap_set_option() to change the value of LDAP_OPT_X_TLS_REQUIRE_CERT the library correctly responded it could not be set. The fundamental problem is that rlm_ldap should not be exposing this configuration option because it shouldn't be changing it.
But we're between a rock and a hard place on this one. rlm_ldap does in fact expose this, even if it shouldn't, and we can link against the entry point to set it (even if we shouldn't be able to) so it seems like the path of least problems is to allow rlm_ldap to set the option using a back door. Maybe in the current ldap source we can get the option removed from rlm_ldap ...
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.