Hi Alan. I made a little more debug on this matter and I discovered that the error is that FR doesn't like the CA: TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=PT/ST=Lisbon/L=Lisbon/O=UAL/OU=CI/CN=checkpoint2/[EMAIL PROTECTED], issuer: /C=PT/ST=Lisbon/L=Lisbon/O=UAL/OU=CI/CN=checkpoint2/[EMAIL PROTECTED] TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. If I use only one LDAP server (the same that gave an error) I don't have any problem with the TLS stuff. The problem is with the combination of the two self signed certificate (one for each LDAP server, of course). So, isolated the master and the slave work perfectly but in combination with TLS, only one works... I don't know what to try more because I believe I have everything well configured. :-( Here's the most important of my debug: (without ldap_debug = 0xFFFF) ... ldap: server = "checkpoint2" ldap: port = 636 ldap: net_timeout = 60 ldap: timeout = 60 ldap: timelimit = 60 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem" ldap: tls_keyfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ... Module: Instantiated ldap (ldapmaster) ldap: server = "checkpoint" ldap: port = 636 ldap: net_timeout = 60 ldap: timeout = 60 ldap: timelimit = 60 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem" ldap: tls_keyfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ... Module: Instantiated ldap (ldapslave) ... radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'ou=users,dc=ual,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to checkpoint:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/radius/etc/raddb/1x/checkpoint.pem rlm_ldap: setting TLS Cert File to /usr/local/radius/etc/raddb/1x/checkpoint.pem rlm_ldap: setting TLS Key File to /usr/local/radius/etc/raddb/1x/checkpoint.pem rlm_ldap: bind as / to checkpoint:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful ... radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'ou=users,dc=ual,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to checkpoint2:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/radius/etc/raddb/1x/checkpoint2.pem rlm_ldap: setting TLS Cert File to /usr/local/radius/etc/raddb/1x/checkpoint2.pem rlm_ldap: setting TLS Key File to /usr/local/radius/etc/raddb/1x/checkpoint2.pem rlm_ldap: bind as / to checkpoint2:636 rlm_ldap: bind to checkpoint2:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapmaster" returns fail for request 5 ... Alan DeKok wrote: Paulo Cabrita <[EMAIL PROTECTED]> wrote:I have freeradius 1.1.0 working and I want to have a redundant/load balancing mecanism but when I use TLS to secure the communication with the ldaps, FR only works with one server (eg: ldapmaster). The log says that it cannot contact the other server (eg: ldapslave). But if I use one ldap in clear-text communication, it works perfectly, that is I have redundant load balancing with one LDAP/TLS and another LDAP/clear. Of course it's not what I want. :-)I don't see why using TLS or not would make any difference to the load balancing.Could you post the errors? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, ------------------------------------ |Paulo Cabrita, Msc | |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED] | ------------------------------------ |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html