Hi Alan,
Thanks mate for U'r reply.
I have following parameters in radiusd.conf...
$INCLUDE ${confdir}/sqlcounter.conf
authorize {
preprocess
# auth_log
# attr_filter
chap
mschap
# digest
# IPASS
suffix
eap
files
sql
# etc_smbpasswd
# ldap
noresetcounter
dailycounter
monthlycounter
}
# Accounting. Log the accounting data.
#
accounting {
acct_unique
detail
daily
unix
radutmp
# sradutmp
# main_pool
sql
}
session {
radutmp
sql
}
radiusd -Xp 1645 returns ....
--------------------------------------------------------------
sqlcounter: counter-name = "Daily-Session-Time"
sqlcounter: check-name = "Max-Daily-Session"
sqlcounter: key = "User-Name"
sqlcounter: sqlmod-inst = "sql"
sqlcounter: query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM rada
cct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime > '%b'"
sqlcounter: reset = "daily"
rlm_sqlcounter: Counter attribute Daily-Session-Time is number 1673
rlm_sqlcounter: Check attribute Max-Daily-Session is number 1674
rlm_sqlcounter: Current Time: 1080035841 [2004-03-23 09:57:21], Next
reset 1080086400 [2004-03-24 00:00:00]
rlm_sqlcounter: Current Time: 1080035841 [2004-03-23 09:57:21], Prev
reset 1080000000 [2004-03-23 00:00:00]
Module: Instantiated sqlcounter (dailycounter)
--------------------------------------------------------------
It does set Daily,Monthly counter but doesn't update Mysql Table
stats... that worries me.
Regards,
Sagar
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 22 March 2004 19:42
To: [EMAIL PROTECTED]
Subject: Freeradius-Users digest, Vol 1 #3023 - 3 msgs
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: SQLCOUNTER Problems (Alan DeKok)
2. RE: Using freeradius to authenticate users to a Windows 2000 AD
(Steve OBrien)
3. RE: Using freeradius to authenticate users to a Windows 2000 AD
(Steve OBrien)
--__--__--
Message: 1
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: SQLCOUNTER Problems
Date: Mon, 22 Mar 2004 14:00:23 -0500
Reply-To: [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> After compiling RLM_SQLCOUNTER with FreeRadius .. I still can't see
> radius trying to update usage statistics in MYSQL tables.
> I read doc/rlm_sqlcounter and thought whenever user uses any minutes
out
> of allocated values RLM_COUNTER will change statistics by calculating
:
> (Allocated time - Used time)=3D Remaining time.=20
> Am I right here? Any help will be appreciated....
Just listing "sqlcounter" in the "modules" section won't do
anything. You've got to tell the server WHEN to use it.
List it in the "accounting" and "authorize" sections, too.
Alan DeKok.
--__--__--
Message: 2
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
From: Steve OBrien <[EMAIL PROTECTED]>
Date: Mon, 22 Mar 2004 11:36:15 -0800
Reply-To: [EMAIL PROTECTED]
This is a multipart message in MIME format.
--=_alternative 006BCA0F88256E5F_=
Content-Type: text/plain; charset="US-ASCII"
OK Tarun, everything looks OK from LDP.exe, at least I am able to
connect
and browse. But with ldapbrowse I am getting "CA certificate is not in
server certificate chain." So to back up a bit the certificate that I
need on the freeradius box is the one you can retrieve via the web
interface on the m$ certificate server when you select "Retrieve the CA
certificate or CRL" radio button?
"Tarun Bhushan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/21/2004 04:56 PM
Please respond to
[EMAIL PROTECTED]
To
<[EMAIL PROTECTED]>
cc
Subject
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve
Looks like the LDAPS connection from non-Windows-native clients is not
working properly. From a Windows workstation (not on the AD machine)
first
try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag
set
to get to your AD LDAP server and see if this works. This shows if LDAPS
is working from a Windows Native point-of-view. Next, try LDAP
Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with
LDAPS - (on Windows you will need Sun Java), import your AD root CA cert
(use the same PEM file as used before - see the documentation below). If
you can connect now, this will provide an indication that connection
from
"non-Windows-native" clients works with LDAPS.
Once that works, you can then go on from there.
Regards
Tarun
===================== Doc - is a sample session
============================
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 15 entries
thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
baltimorecodesigningca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
thawtepersonalbasicca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
gtecybertrustglobalca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
verisignclass3ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
baltimorecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
verisignclass1ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
gtecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
gtecybertrust5ca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
verisignclass2ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password: changeit
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
MD5: something
SHA1: something
Trust this certificate? [no]: yes
Certificate was added to keystore
[Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 6 entries
1049851423488, 9/04/2003, trustedCertEntry,
Certificate fingerprint (MD5):
71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72
1042686583627, 16/01/2003, trustedCertEntry,
Certificate fingerprint (MD5):
D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D
1047532540747, 13/03/2003, trustedCertEntry,
Certificate fingerprint (MD5):
90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0
1042609942072, 15/01/2003, trustedCertEntry,
Certificate fingerprint (MD5):
F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14
1046156863186, 25/02/2003, trustedCertEntry,
Certificate fingerprint (MD5):
F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A
1042179593031, 10/01/2003, trustedCertEntry,
Certificate fingerprint (MD5):
A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore
"C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password: changeit
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
MD5: something
SHA1: something
Trust this certificate? [no]: yes
Certificate was added to keystore
[Saving C:\Tools\ldapbrowser\lbecacerts]
============================ End Doc ==================================
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Sunday, 21 March 2004 12:28 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
OK I got that problem fixed on the windows side. Now I am getting an
immediate access-reject here is the debug:
<snip>
NOTICE
This e-mail and any attachments are confidential and may contain
copyright
material of Macquarie Bank or third parties. If you are not the intended
recipient of this email you should not read, print, re-transmit, store
or
act in reliance on this e-mail or any attachments, and should destroy
all
copies of them. Macquarie Bank does not guarantee the integrity of any
emails or any attached files. The views or opinions expressed are the
author's own and may not reflect the views or opinions of Macquarie
Bank.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--=_alternative 006BCA0F88256E5F_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">OK Tarun, everything looks OK from
LDP.exe,
at least I am able to connect and browse. But with ldapbrowse I am
getting "CA certificate is not in server certificate chain."
So to back up a bit the certificate that I need on the freeradius
box is the one you can retrieve via the web interface on the m$
certificate
server when you select "Retrieve the CA certificate or
CRL"
radio button?</font>
<br><font size=2 face="sans-serif"><br>
</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"Tarun
Bhushan"
<[EMAIL PROTECTED]></b> </font>
<br><font size=1 face="sans-serif">Sent by:
[EMAIL PROTECTED]</font>
<p><font size=1 face="sans-serif">03/21/2004 04:56 PM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
[EMAIL PROTECTED]</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1
face="sans-serif"><[EMAIL PROTECTED]></font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">RE: Using freeradius to
authenticate
users to a Windows 2000 AD</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>Steve<br>
<br>
Looks like the LDAPS connection from non-Windows-native clients is not
working properly. From a Windows workstation (not on the AD machine)
first
try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag
set to get to your AD LDAP server and see if this works. This shows if
LDAPS is working from a Windows Native point-of-view. Next, try LDAP
Browser/Editor
(http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on
Windows
you will need Sun Java), import your AD root CA cert (use the same PEM
file as used before - see the documentation below). If you can connect
now, this will provide an indication that connection from
"non-Windows-native"
clients works with LDAPS.<br>
<br>
Once that works, you can then go on from there.<br>
<br>
Regards<br>
Tarun<br>
<br>
===================== Doc - is a sample session
============================<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"<br>
Enter keystore password: changeit<br>
<br>
Keystore type: jks<br>
Keystore provider: SUN<br>
<br>
Your keystore contains 15 entries<br>
<br>
thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9<br>
baltimorecodesigningca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22<br>
thawtepersonalbasicca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41<br>
gtecybertrustglobalca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB<br>
verisignclass3ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D<br>
thawteserverca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D<br>
thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D<br>
verisignclass4ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10<br>
baltimorecybertrustca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4<br>
verisignclass1ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20<br>
verisignserverca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93<br>
thawtepremiumserverca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A<br>
gtecybertrustca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58<br>
gtecybertrust5ca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E<br>
verisignclass2ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca
-file c:\temp\somedc.ca.pem -keystore "C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"<br>
Enter keystore password: changeit<br>
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Serial number: something<br>
Valid from: <date> until: <date)<br>
Certificate fingerprints:<br>
MD5: something<br>
SHA1: something<br>
Trust this certificate? [no]: yes<br>
Certificate was added to keystore<br>
[Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Tools\ldapbrowser\lbecacerts"<br>
Enter keystore password: changeit<br>
<br>
Keystore type: jks<br>
Keystore provider: SUN<br>
<br>
Your keystore contains 6 entries<br>
<br>
1049851423488, 9/04/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72<br>
1042686583627, 16/01/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D<br>
1047532540747, 13/03/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0<br>
1042609942072, 15/01/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14<br>
1046156863186, 25/02/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A<br>
1042179593031, 10/01/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca
-file c:\temp\somedc.ca.pem -keystore
"C:\Tools\ldapbrowser\lbecacerts"<br>
Enter keystore password: changeit<br>
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Serial number: something<br>
Valid from: <date> until: <date)<br>
Certificate fingerprints:<br>
MD5: something<br>
SHA1: something<br>
Trust this certificate? [no]: yes<br>
Certificate was added to keystore<br>
[Saving C:\Tools\ldapbrowser\lbecacerts]<br>
<br>
============================ End Doc
==================================<br>
<br>
-----Original Message-----<br>
From: Steve OBrien [mailto:[EMAIL PROTECTED]<br>
Sent: Sunday, 21 March 2004 12:28 PM<br>
To: [EMAIL PROTECTED]<br>
Subject: RE: Using freeradius to authenticate users to a Windows 2000
AD<br>
<br>
<br>
OK I got that problem fixed on the windows side. Now I am getting
an immediate access-reject here is the debug: <br>
<br>
<snip><br>
<br>
<br>
NOTICE<br>
This e-mail and any attachments are confidential and may contain
copyright
material of Macquarie Bank or third parties. If you are not the intended
recipient of this email you should not read, print, re-transmit, store
or act in reliance on this e-mail or any attachments, and should destroy
all copies of them. Macquarie Bank does not guarantee the integrity of
any emails or any attached files. The views or opinions expressed are
the
author's own and may not reflect the views or opinions of Macquarie
Bank.<br>
<br>
<br>
- <br>
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html<br>
</tt></font>
<br>
--=_alternative 006BCA0F88256E5F_=--
--__--__--
Message: 3
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
From: Steve OBrien <[EMAIL PROTECTED]>
Date: Mon, 22 Mar 2004 11:40:46 -0800
Reply-To: [EMAIL PROTECTED]
This is a multipart message in MIME format.
--=_alternative 006C33A488256E5F_=
Content-Type: text/plain; charset="US-ASCII"
Would it also matter if my certificate was self-signed as we do not have
a
need for a third party signed certificate at this time.
Steve O'Brien
City of Bend
Network Administrator
[EMAIL PROTECTED]
541-322-6393
"Tarun Bhushan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/21/2004 04:56 PM
Please respond to
[EMAIL PROTECTED]
To
<[EMAIL PROTECTED]>
cc
Subject
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve
Looks like the LDAPS connection from non-Windows-native clients is not
working properly. From a Windows workstation (not on the AD machine)
first
try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag
set
to get to your AD LDAP server and see if this works. This shows if LDAPS
is working from a Windows Native point-of-view. Next, try LDAP
Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with
LDAPS - (on Windows you will need Sun Java), import your AD root CA cert
(use the same PEM file as used before - see the documentation below). If
you can connect now, this will provide an indication that connection
from
"non-Windows-native" clients works with LDAPS.
Once that works, you can then go on from there.
Regards
Tarun
===================== Doc - is a sample session
============================
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 15 entries
thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
baltimorecodesigningca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
thawtepersonalbasicca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
gtecybertrustglobalca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
verisignclass3ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
baltimorecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
verisignclass1ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5):
06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
gtecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
gtecybertrust5ca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5):
7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
verisignclass2ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5):
EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password: changeit
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
MD5: something
SHA1: something
Trust this certificate? [no]: yes
Certificate was added to keystore
[Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 6 entries
1049851423488, 9/04/2003, trustedCertEntry,
Certificate fingerprint (MD5):
71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72
1042686583627, 16/01/2003, trustedCertEntry,
Certificate fingerprint (MD5):
D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D
1047532540747, 13/03/2003, trustedCertEntry,
Certificate fingerprint (MD5):
90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0
1042609942072, 15/01/2003, trustedCertEntry,
Certificate fingerprint (MD5):
F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14
1046156863186, 25/02/2003, trustedCertEntry,
Certificate fingerprint (MD5):
F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A
1042179593031, 10/01/2003, trustedCertEntry,
Certificate fingerprint (MD5):
A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore
"C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password: changeit
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
MD5: something
SHA1: something
Trust this certificate? [no]: yes
Certificate was added to keystore
[Saving C:\Tools\ldapbrowser\lbecacerts]
============================ End Doc ==================================
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Sunday, 21 March 2004 12:28 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
OK I got that problem fixed on the windows side. Now I am getting an
immediate access-reject here is the debug:
<snip>
NOTICE
This e-mail and any attachments are confidential and may contain
copyright
material of Macquarie Bank or third parties. If you are not the intended
recipient of this email you should not read, print, re-transmit, store
or
act in reliance on this e-mail or any attachments, and should destroy
all
copies of them. Macquarie Bank does not guarantee the integrity of any
emails or any attached files. The views or opinions expressed are the
author's own and may not reflect the views or opinions of Macquarie
Bank.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--=_alternative 006C33A488256E5F_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Would it also matter if my
certificate
was self-signed as we do not have a need for a third party signed
certificate
at this time.</font>
<br><font size=2 face="sans-serif"><br>
Steve O'Brien<br>
City of Bend<br>
Network Administrator<br>
[EMAIL PROTECTED]<br>
541-322-6393</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"Tarun
Bhushan"
<[EMAIL PROTECTED]></b> </font>
<br><font size=1 face="sans-serif">Sent by:
[EMAIL PROTECTED]</font>
<p><font size=1 face="sans-serif">03/21/2004 04:56 PM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
[EMAIL PROTECTED]</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1
face="sans-serif"><[EMAIL PROTECTED]></font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">RE: Using freeradius to
authenticate
users to a Windows 2000 AD</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>Steve<br>
<br>
Looks like the LDAPS connection from non-Windows-native clients is not
working properly. From a Windows workstation (not on the AD machine)
first
try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag
set to get to your AD LDAP server and see if this works. This shows if
LDAPS is working from a Windows Native point-of-view. Next, try LDAP
Browser/Editor
(http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on
Windows
you will need Sun Java), import your AD root CA cert (use the same PEM
file as used before - see the documentation below). If you can connect
now, this will provide an indication that connection from
"non-Windows-native"
clients works with LDAPS.<br>
<br>
Once that works, you can then go on from there.<br>
<br>
Regards<br>
Tarun<br>
<br>
===================== Doc - is a sample session
============================<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"<br>
Enter keystore password: changeit<br>
<br>
Keystore type: jks<br>
Keystore provider: SUN<br>
<br>
Your keystore contains 15 entries<br>
<br>
thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9<br>
baltimorecodesigningca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22<br>
thawtepersonalbasicca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41<br>
gtecybertrustglobalca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB<br>
verisignclass3ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D<br>
thawteserverca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D<br>
thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D<br>
verisignclass4ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10<br>
baltimorecybertrustca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4<br>
verisignclass1ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20<br>
verisignserverca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93<br>
thawtepremiumserverca, 12/02/1999, trustedCertEntry,<br>
Certificate fingerprint (MD5):
06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A<br>
gtecybertrustca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58<br>
gtecybertrust5ca, 10/05/2002, trustedCertEntry,<br>
Certificate fingerprint (MD5):
7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E<br>
verisignclass2ca, 29/06/1998, trustedCertEntry,<br>
Certificate fingerprint (MD5):
EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca
-file c:\temp\somedc.ca.pem -keystore "C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"<br>
Enter keystore password: changeit<br>
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Serial number: something<br>
Valid from: <date> until: <date)<br>
Certificate fingerprints:<br>
MD5: something<br>
SHA1: something<br>
Trust this certificate? [no]: yes<br>
Certificate was added to keystore<br>
[Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Tools\ldapbrowser\lbecacerts"<br>
Enter keystore password: changeit<br>
<br>
Keystore type: jks<br>
Keystore provider: SUN<br>
<br>
Your keystore contains 6 entries<br>
<br>
1049851423488, 9/04/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72<br>
1042686583627, 16/01/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D<br>
1047532540747, 13/03/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0<br>
1042609942072, 15/01/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14<br>
1046156863186, 25/02/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A<br>
1042179593031, 10/01/2003, trustedCertEntry,<br>
Certificate fingerprint (MD5):
A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91<br>
<br>
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias
somecompany_ad_ca
-file c:\temp\somedc.ca.pem -keystore
"C:\Tools\ldapbrowser\lbecacerts"<br>
Enter keystore password: changeit<br>
Owner: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Issuer: CN=somedc.somecompany.com, OU=etc...,
[EMAIL PROTECTED]<br>
Serial number: something<br>
Valid from: <date> until: <date)<br>
Certificate fingerprints:<br>
MD5: something<br>
SHA1: something<br>
Trust this certificate? [no]: yes<br>
Certificate was added to keystore<br>
[Saving C:\Tools\ldapbrowser\lbecacerts]<br>
<br>
============================ End Doc
==================================<br>
<br>
-----Original Message-----<br>
From: Steve OBrien [mailto:[EMAIL PROTECTED]<br>
Sent: Sunday, 21 March 2004 12:28 PM<br>
To: [EMAIL PROTECTED]<br>
Subject: RE: Using freeradius to authenticate users to a Windows 2000
AD<br>
<br>
<br>
OK I got that problem fixed on the windows side. Now I am getting
an immediate access-reject here is the debug: <br>
<br>
<snip><br>
<br>
<br>
NOTICE<br>
This e-mail and any attachments are confidential and may contain
copyright
material of Macquarie Bank or third parties. If you are not the intended
recipient of this email you should not read, print, re-transmit, store
or act in reliance on this e-mail or any attachments, and should destroy
all copies of them. Macquarie Bank does not guarantee the integrity of
any emails or any attached files. The views or opinions expressed are
the
author's own and may not reflect the views or opinions of Macquarie
Bank.<br>
<br>
<br>
- <br>
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html<br>
</tt></font>
<br>
--=_alternative 006C33A488256E5F_=--
--__--__--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
