Re: TLS cant connect ldap+freeradius+novell

Yogesh Nagarkar Tue, 24 Jul 2007 14:47:16 -0700

Hi Martin,
If you already do not have it working, here are the steps that got mine to work,
1) Login to Novell iManager  and under Roles and Tasks -> LDAP options
-> View Ldap Servers -> Click on server -> Connections -> make sure
"SSL Certificate IP" is the server cert and "Client Certificate - Not Requested"


2) Now if you click on Novell Certificate Access -> Server
Certificates -> Expand "SSL Certificate IP" , it shows that its signed
by Organizational CA

3) Click Novell Certificate Server -> Configure Certificate Authority
-> Click Certificates Tab -> Select "Organizational CA" -> Export and
follow steps and download the cert to a file say "cert.pfx"

4) Open cygwin (since i use edir on windoz) and do
openssl pkcs12 -in ~/Desktop/cert.pfx -nocerts -nodes -out
~/Desktop/edir_ca_key.pem
openssl pkcs12 -in  ~/Desktop/cert.pfx -clcerts -nokeys -out
~/Desktop/edir_ca_cert.pem
cat ~/Desktop/edir_ca_cert.pem ~/Desktop/edir_ca_key.pem > ~/Desktop/edir.pem

5) Copy edir.pem to the radius server under say /certs/edir/edir.pem

6) My module looks like:
#make sure the ip is the same ip as in the CN of the CA cert
ldap ldap1{
                # edir
                server = 192.168.1.40
                port = 636
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                basedn = "o=engineering"
                identity = "cn=admin,o=domain"
                password = "*********"
                password_attribute = nspmPassword
                edir_account_policy_check = yes
                filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                tls_cacertfile = /certs/edir/edir.pem
                tls_certfile = /certs/edir/client.pem
                tls_keyfile =/certs/edir/client.pem
                tls_require_cert = "demand"
                #tls_mode = yes
                ldap_connections_number = 5
                timeout = 5
                timelimit = 3
                net_timeout =1
   }

Good luck :)
Yogesh.

On 7/19/07, Martin G <[EMAIL PROTECTED]> wrote:
> Hello!
>
> Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv
> tried my best to install a radius/ldap linuxserver to pass on
> radius-requests from a Aruba-controller to our novell-server.
>
> IPs:
> Novell 10.10.0.11
> Aruba 10.10.0.28
> Linux (freeradius+ldap) 10.10.0.132
>
> Iv tried to change tls_mode, port and tls_start on and off a couple of times
> without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x
> -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta"
> i recieve "TLS: hostname does not match CN in peer certificate".
>
> So i have some thoughts about the certificate, but iv exported the
> selfsigned novell-certificate from the novellserver and verifyed it. But im
> not sure how to use a "client-certificate" on the linux.
>
> When i use "freeradius -XXX -A" on the linuxserver and i trie to do a
> radius-request, the aruba gets a timeout and the linuxserver tells me the
> following logg:
>
> Tue Jul 10 11:32:28 2007 : Info: Starting - reading configuration files ...
> Tue Jul 10 11:32:28 2007 : Debug: reread_config:  reading radiusd.conf
> Tue Jul 10 11:32:28 2007 : Debug: Config:   including file:
> /etc/freeradius/proxy.conf
> Tue Jul 10 11:32:28 2007 : Debug: Config:   including file:
> /etc/freeradius/clients.conf
> Tue Jul 10 11:32:28 2007 : Debug: Config:   including file:
> /etc/freeradius/snmp.conf
> Tue Jul 10 11:32:28 2007 : Debug: Config:   including file:
> /etc/freeradius/eap.conf
> Tue Jul 10 11:32:28 2007 : Debug: Config:   including file:
> /etc/freeradius/sql.conf
> Tue Jul 10 11:32:28 2007 : Debug:  main: prefix = "/usr"
> Tue Jul 10 11:32:28 2007 : Debug:  main: localstatedir = "/var"
> Tue Jul 10 11:32:28 2007 : Debug:  main: logdir = "/var/log/freeradius"
> Tue Jul 10 11:32:28 2007 : Debug:  main: libdir = "/usr/lib/freeradius"
> Tue Jul 10 11:32:28 2007 : Debug:  main: radacctdir =
> "/var/log/freeradius/radacct"
> Tue Jul 10 11:32:28 2007 : Debug:  main: hostname_lookups = no
> Tue Jul 10 11:32:28 2007 : Debug:  main: max_request_time = 30
> Tue Jul 10 11:32:28 2007 : Debug:  main: cleanup_delay = 5
> Tue Jul 10 11:32:28 2007 : Debug:  main: max_requests = 1024
> Tue Jul 10 11:32:28 2007 : Debug:  main: delete_blocked_requests = 0
> Tue Jul 10 11:32:28 2007 : Debug:  main: port = 0
> Tue Jul 10 11:32:28 2007 : Debug:  main: allow_core_dumps = no
> Tue Jul 10 11:32:28 2007 : Debug:  main: log_stripped_names = yes
> Tue Jul 10 11:32:28 2007 : Debug:  main: log_file =
> "/var/log/freeradius/radius.log"
> Tue Jul 10 11:32:28 2007 : Debug:  main: log_auth = yes
> Tue Jul 10 11:32:28 2007 : Debug:  main: log_auth_badpass = yes
> Tue Jul 10 11:32:28 2007 : Debug:  main: log_auth_goodpass = yes
> Tue Jul 10 11:32:28 2007 : Debug:  main: pidfile =
> "/var/run/freeradius/freeradius.pid"
> Tue Jul 10 11:32:28 2007 : Debug:  main: user = "freerad"
> Tue Jul 10 11:32:28 2007 : Debug:  main: group = "freerad"
> Tue Jul 10 11:32:28 2007 : Debug:  main: usercollide = no
> Tue Jul 10 11:32:28 2007 : Debug:  main: lower_user = "no"
> Tue Jul 10 11:32:28 2007 : Debug:  main: lower_pass = "no"
> Tue Jul 10 11:32:28 2007 : Debug:  main: nospace_user = "no"
> Tue Jul 10 11:32:28 2007 : Debug:  main: nospace_pass = "no"
> Tue Jul 10 11:32:28 2007 : Debug:  main: checkrad = "/usr/sbin/checkrad"
> Tue Jul 10 11:32:28 2007 : Debug:  main: proxy_requests = yes
> Tue Jul 10 11:32:28 2007 : Debug:  proxy: retry_delay = 5
> Tue Jul 10 11:32:28 2007 : Debug:  proxy: retry_count = 3
> Tue Jul 10 11:32:28 2007 : Debug:  proxy: synchronous = no
> Tue Jul 10 11:32:28 2007 : Debug:  proxy: default_fallback = yes
> Tue Jul 10 11:32:28 2007 : Debug:  proxy: dead_time = 120
> Tue Jul 10 11:32:28 2007 : Debug:  proxy: post_proxy_authorize = no
> Tue Jul 10 11:32:28 2007 : Debug:  proxy: wake_all_if_all_dead = no
> Tue Jul 10 11:32:28 2007 : Debug:  security: max_attributes = 200
> Tue Jul 10 11:32:28 2007 : Debug:  security: reject_delay = 1
> Tue Jul 10 11:32:28 2007 : Debug:  security: status_server = no
> Tue Jul 10 11:32:28 2007 : Debug:  main: debug_level = 0
> Tue Jul 10 11:32:28 2007 : Debug: read_config_files:  reading dictionary
> Tue Jul 10 11:32:28 2007 : Debug: read_config_files:  reading naslist
> Tue Jul 10 11:32:28 2007 : Info: Using deprecated naslist file.  Support for
> this will go away soon.
> Tue Jul 10 11:32:28 2007 : Debug: read_config_files:  reading clients
> Tue Jul 10 11:32:28 2007 : Debug: read_config_files:  reading realms
> Tue Jul 10 11:32:28 2007 : Debug: radiusd:  entering modules setup
> Tue Jul 10 11:32:28 2007 : Debug: Module: Library search path is
> /usr/lib/freeradius
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded exec
> Tue Jul 10 11:32:28 2007 : Debug:  exec: wait = yes
> Tue Jul 10 11:32:28 2007 : Debug:  exec: program = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  exec: input_pairs = "request"
> Tue Jul 10 11:32:28 2007 : Debug:  exec: output_pairs = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  exec: packet_type = "(null)"
> Tue Jul 10 11:32:28 2007 : Info: rlm_exec: Wait=yes but no output defined.
> Did you mean output=none?
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated exec (exec)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded expr
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated expr (expr)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded PAP
> Tue Jul 10 11:32:28 2007 : Debug:  pap: encryption_scheme = "crypt"
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated pap (pap)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded CHAP
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated chap (chap)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded MS-CHAP
> Tue Jul 10 11:32:28 2007 : Debug:  mschap: use_mppe = yes
> Tue Jul 10 11:32:28 2007 : Debug:  mschap: require_encryption = no
> Tue Jul 10 11:32:28 2007 : Debug:  mschap: require_strong = no
> Tue Jul 10 11:32:28 2007 : Debug:  mschap: with_ntdomain_hack = no
> Tue Jul 10 11:32:28 2007 : Debug:  mschap: passwd = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  mschap: ntlm_auth = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated mschap (mschap)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded System
> Tue Jul 10 11:32:28 2007 : Debug:  unix: cache = no
> Tue Jul 10 11:32:28 2007 : Debug:  unix: passwd = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  unix: shadow = "/etc/shadow"
> Tue Jul 10 11:32:28 2007 : Debug:  unix: group = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  unix: radwtmp =
> "/var/log/freeradius/radwtmp"
> Tue Jul 10 11:32:28 2007 : Debug:  unix: usegroup = no
> Tue Jul 10 11:32:28 2007 : Debug:  unix: cache_reload = 600
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated unix (unix)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded LDAP
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: server = "10.10.0.11"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: port = 636
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: net_timeout = 1
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: timeout = 4
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: timelimit = 3
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: identity = "cn=admin,o=wifi"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: tls_mode = no
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: start_tls = yes
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: tls_cacertfile =
> "/etc/freeradius/certs/WIFITREE_CA.b64"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: tls_certfile =
> "/etc/freeradius/certs/WIFITREE_CA.b64"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: tls_cacertdir = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: tls_keyfile = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: tls_randfile = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: tls_require_cert = "allow"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: password = "******"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: basedn = "ou=adm,ou=malmo,o=wifi"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: filter =
> "(cn=%{Stripped-User-Name:-%{User-Name}})"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: base_filter =
> "(objectclass=radiusprofile)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: default_profile = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: profile_attribute = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: password_header = "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: password_attribute = "nspmPassword"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: access_attr = "dialupAccess"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: groupname_attribute = "cn"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: groupmembership_attribute =
> "(null)"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: dictionary_mapping =
> "/etc/freeradius/ldap.attrmap"
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: ldap_debug = 0
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: ldap_connections_number = 5
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: compare_check_items = no
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: access_attr_used_for_allow = yes
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: do_xlat = yes
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: edir_account_policy_check = yes
> Tue Jul 10 11:32:28 2007 : Debug:  ldap: set_auth_type = yes
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: Registering ldap_groupcmp for
> Ldap-Group
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: Registering ldap_xlat with
> xlat_name ldap
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: reading ldap<->radius mappings
> from file /etc/freeradius/ldap.attrmap
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusCheckItem mapped to
> RADIUS $GENERIC$
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusReplyItem mapped to
> RADIUS $GENERIC$
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusAuthType mapped to
> RADIUS Auth-Type
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusSimultaneousUse
> mapped to RADIUS Simultaneous-Use
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusCalledStationId
> mapped to RADIUS Called-Station-Id
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusCallingStationId
> mapped to RADIUS Calling-Station-Id
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS
> LM-Password
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS
> NT-Password
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS
> SMB-Account-CTRL-TEXT
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusExpiration mapped to
> RADIUS Expiration
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusNASIpAddress mapped
> to RADIUS NAS-IP-Address
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusServiceType mapped to
> RADIUS Service-Type
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedProtocol mapped
> to RADIUS Framed-Protocol
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedIPAddress
> mapped to RADIUS Framed-IP-Address
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedIPNetmask
> mapped to RADIUS Framed-IP-Netmask
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedRoute mapped to
> RADIUS Framed-Route
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedRouting mapped
> to RADIUS Framed-Routing
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFilterId mapped to
> RADIUS Filter-Id
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedMTU mapped to
> RADIUS Framed-MTU
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedCompression
> mapped to RADIUS Framed-Compression
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to
> RADIUS Login-IP-Host
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusLoginService mapped
> to RADIUS Login-Service
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped
> to RADIUS Login-TCP-Port
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusCallbackNumber mapped
> to RADIUS Callback-Number
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusCallbackId mapped to
> RADIUS Callback-Id
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedIPXNetwork
> mapped to RADIUS Framed-IPX-Network
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusClass mapped to
> RADIUS Class
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusSessionTimeout mapped
> to RADIUS Session-Timeout
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to
> RADIUS Idle-Timeout
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusTerminationAction
> mapped to RADIUS Termination-Action
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusLoginLATService
> mapped to RADIUS Login-LAT-Service
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusLoginLATNode mapped
> to RADIUS Login-LAT-Node
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped
> to RADIUS Login-LAT-Group
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink
> mapped to RADIUS Framed-AppleTalk-Link
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP
> radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone
> mapped to RADIUS Framed-AppleTalk-Zone
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusPortLimit mapped to
> RADIUS Port-Limit
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusLoginLATPort mapped
> to RADIUS Login-LAT-Port
> Tue Jul 10 11:32:28 2007 : Debug: rlm_ldap: LDAP radiusReplyMessage mapped
> to RADIUS Reply-Message
> Tue Jul 10 11:32:28 2007 : Debug: conns: 0x8145988
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated ldap (ldap)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded eap
> Tue Jul 10 11:32:28 2007 : Debug:  eap: default_eap_type = "md5"
> Tue Jul 10 11:32:28 2007 : Debug:  eap: timer_expire = 60
> Tue Jul 10 11:32:28 2007 : Debug:  eap: ignore_unknown_eap_types = no
> Tue Jul 10 11:32:28 2007 : Debug:  eap: cisco_accounting_username_bug = no
> Tue Jul 10 11:32:28 2007 : Debug: rlm_eap: Loaded and initialized type md5
> Tue Jul 10 11:32:28 2007 : Debug: rlm_eap: Loaded and initialized type leap
> Tue Jul 10 11:32:28 2007 : Debug:  gtc: challenge = "Password: "
> Tue Jul 10 11:32:28 2007 : Debug:  gtc: auth_type = "PAP"
> Tue Jul 10 11:32:28 2007 : Debug: rlm_eap: Loaded and initialized type gtc
> Tue Jul 10 11:32:28 2007 : Debug:  mschapv2: with_ntdomain_hack = no
> Tue Jul 10 11:32:28 2007 : Debug: rlm_eap: Loaded and initialized type
> mschapv2
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated eap (eap)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded preprocess
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: huntgroups =
> "/etc/freeradius/huntgroups"
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: hints =
> "/etc/freeradius/hints"
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: with_ascend_hack = no
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: ascend_channels_per_line = 23
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: with_ntdomain_hack = no
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: with_specialix_jetstream_hack
> = no
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: with_cisco_vsa_hack = no
> Tue Jul 10 11:32:28 2007 : Debug:  preprocess: with_alvarion_vsa_hack = no
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated preprocess
> (preprocess)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded realm
> Tue Jul 10 11:32:28 2007 : Debug:  realm: format = "suffix"
> Tue Jul 10 11:32:28 2007 : Debug:  realm: delimiter = "@"
> Tue Jul 10 11:32:28 2007 : Debug:  realm: ignore_default = no
> Tue Jul 10 11:32:28 2007 : Debug:  realm: ignore_null = no
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated realm (suffix)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded files
> Tue Jul 10 11:32:28 2007 : Debug:  files: usersfile =
> "/etc/freeradius/users"
> Tue Jul 10 11:32:28 2007 : Debug:  files: acctusersfile =
> "/etc/freeradius/acct_users"
> Tue Jul 10 11:32:28 2007 : Debug:  files: preproxy_usersfile =
> "/etc/freeradius/preproxy_users"
> Tue Jul 10 11:32:28 2007 : Debug:  files: compat = "no"
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated files (files)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded Acct-Unique-Session-Id
> Tue Jul 10 11:32:28 2007 : Debug:  acct_unique: key = "User-Name,
> Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated acct_unique
> (acct_unique)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded detail
> Tue Jul 10 11:32:28 2007 : Debug:  detail: detailfile =
> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> Tue Jul 10 11:32:28 2007 : Debug:  detail: detailperm = 384
> Tue Jul 10 11:32:28 2007 : Debug:  detail: dirperm = 493
> Tue Jul 10 11:32:28 2007 : Debug:  detail: locking = no
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated detail (detail)
> Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded radutmp
> Tue Jul 10 11:32:28 2007 : Debug:  radutmp: filename =
> "/var/log/freeradius/radutmp"
> Tue Jul 10 11:32:28 2007 : Debug:  radutmp: username = "%{User-Name}"
> Tue Jul 10 11:32:28 2007 : Debug:  radutmp: case_sensitive = yes
> Tue Jul 10 11:32:28 2007 : Debug:  radutmp: check_with_nas = yes
> Tue Jul 10 11:32:28 2007 : Debug:  radutmp: perm = 384
> Tue Jul 10 11:32:28 2007 : Debug:  radutmp: callerid = yes
> Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated radutmp (radutmp)
> Tue Jul 10 11:32:28 2007 : Debug: Listening on authentication *:1812
> Tue Jul 10 11:32:28 2007 : Debug: Listening on accounting *:1813
> Tue Jul 10 11:32:28 2007 : Info: Ready to process requests.
> rad_recv: Access-Request packet from host 10.10.0.28:32795, id=42,
> length=112
>         NAS-IP-Address = 10.10.0.29
>         NAS-Port = 0
>         NAS-Port-Type = Wireless-802.11
>         User-Name = "lotta"
>         User-Password = "********"
>         Calling-Station-Id = "000000000000"
>         Called-Station-Id = "000B86600DB2"
>         Aruba-Essid-Name = ""
>         Aruba-Location-Id = "0.0.0"
> Tue Jul 10 11:32:29 2007 : Debug:   Processing the authorize section of
> radiusd.conf
> Tue Jul 10 11:32:29 2007 : Debug: modcall: entering group authorize for
> request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: calling preprocess
> (rlm_preprocess) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modcall[authorize]: module "preprocess"
> returns ok for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: calling chap
> (rlm_chap) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: returned from chap
> (rlm_chap) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modcall[authorize]: module "chap"
> returns noop for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: calling mschap
> (rlm_mschap) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: returned from
> mschap (rlm_mschap) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modcall[authorize]: module "mschap"
> returns noop for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: calling suffix
> (rlm_realm) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:     rlm_realm: No '@' in User-Name =
> "lotta", looking up realm NULL
> Tue Jul 10 11:32:29 2007 : Debug:     rlm_realm: No such realm "NULL"
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: returned from
> suffix (rlm_realm) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modcall[authorize]: module "suffix"
> returns noop for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: calling eap
> (rlm_eap) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   rlm_eap: No EAP-Message, not doing EAP
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: returned from eap
> (rlm_eap) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modcall[authorize]: module "eap" returns
> noop for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: calling files
> (rlm_files) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:     users: Matched entry DEFAULT at line
> 152
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: returned from
> files (rlm_files) for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modcall[authorize]: module "files"
> returns ok for request 0
> Tue Jul 10 11:32:29 2007 : Debug:   modsingle[authorize]: calling ldap
> (rlm_ldap) for request 0
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: - authorize
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: performing user authorization
> for lotta
> Tue Jul 10 11:32:29 2007 : Debug: radius_xlat:  '(cn=lotta)'
> Tue Jul 10 11:32:29 2007 : Debug: radius_xlat:  'ou=adm,ou=malmo,o=wifi'
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: attempting LDAP reconnection
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: (re)connect to 10.10.0.11:636,
> authentication 0
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: setting TLS mode to 1
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: setting TLS CACert File to
> /etc/freeradius/certs/WIFITREE_CA.b64
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: setting TLS CACert Directory to
> /etc/freeradius/certs/
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: setting TLS Cert File to
> /etc/freeradius/certs/WIFITREE_CA.b64
> Tue Jul 10 11:32:29 2007 : Debug: rlm_ldap: starting TLS
> Tue Jul 10 11:32:30 2007 : Debug: rlm_ldap: ldap_start_tls_s()
> Tue Jul 10 11:32:30 2007 : Error: rlm_ldap: could not start TLS Can't
> contact LDAP server
> Tue Jul 10 11:32:30 2007 : Error: rlm_ldap: (re)connection attempt failed
> Tue Jul 10 11:32:30 2007 : Debug: rlm_ldap: search failed
> Tue Jul 10 11:32:30 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
> Tue Jul 10 11:32:30 2007 : Debug:   modsingle[authorize]: returned from ldap
> (rlm_ldap) for request 0
> Tue Jul 10 11:32:30 2007 : Debug:   modcall[authorize]: module "ldap"
> returns fail for request 0
> Tue Jul 10 11:32:30 2007 : Debug: modcall: leaving group authorize (returns
> fail) for request 0
> Tue Jul 10 11:32:30 2007 : Debug: Finished request 0
> Tue Jul 10 11:32:30 2007 : Debug: Going to the next request
> Tue Jul 10 11:32:30 2007 : Debug: --- Walking the entire request list ---
> Tue Jul 10 11:32:30 2007 : Debug: Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.10.0.28:32795, id=42,
> length=112
> Tue Jul 10 11:32:31 2007 : Debug: Discarding duplicate request from client
> localhost:32795 - ID: 42
> Tue Jul 10 11:32:31 2007 : Debug: --- Walking the entire request list ---
> Tue Jul 10 11:32:31 2007 : Debug: Waking up in 4 seconds...
> rad_recv: Access-Request packet from host 10.10.0.28:32795, id=42,
> length=112
> Tue Jul 10 11:32:33 2007 : Debug: Discarding duplicate request from client
> localhost:32795 - ID: 42
> Tue Jul 10 11:32:33 2007 : Debug: --- Walking the entire request list ---
> Tue Jul 10 11:32:33 2007 : Debug: Waking up in 2 seconds...
> Tue Jul 10 11:32:35 2007 : Debug: --- Walking the entire request list ---
> Tue Jul 10 11:32:35 2007 : Debug: Cleaning up request 0 ID 42 with timestamp
> 4693522d
> Tue Jul 10 11:32:35 2007 : Debug: Nothing to do.  Sleeping until we see a
> request.
> rad_recv: Access-Request packet from host 10.10.0.28:32795, id=42,
> length=112
>         NAS-IP-Address = 10.10.0.29
>         NAS-Port = 0
>         NAS-Port-Type = Wireless-802.11
>         User-Name = "lotta"
>         User-Password = "******"
>         Calling-Station-Id = "000000000000"
>         Called-Station-Id = "000B86600DB2"
>         Aruba-Essid-Name = ""
>         Aruba-Location-Id = "0.0.0"
> Tue Jul 10 11:32:35 2007 : Debug:   Processing the authorize section of
> radiusd.conf
> Tue Jul 10 11:32:35 2007 : Debug: modcall: entering group authorize for
> request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: calling preprocess
> (rlm_preprocess) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modcall[authorize]: module "preprocess"
> returns ok for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: calling chap
> (rlm_chap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: returned from chap
> (rlm_chap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modcall[authorize]: module "chap"
> returns noop for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: calling mschap
> (rlm_mschap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: returned from
> mschap (rlm_mschap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modcall[authorize]: module "mschap"
> returns noop for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: calling suffix
> (rlm_realm) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:     rlm_realm: No '@' in User-Name =
> "lotta", looking up realm NULL
> Tue Jul 10 11:32:35 2007 : Debug:     rlm_realm: No such realm "NULL"
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: returned from
> suffix (rlm_realm) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modcall[authorize]: module "suffix"
> returns noop for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: calling eap
> (rlm_eap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   rlm_eap: No EAP-Message, not doing EAP
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: returned from eap
> (rlm_eap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modcall[authorize]: module "eap" returns
> noop for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: calling files
> (rlm_files) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:     users: Matched entry DEFAULT at line
> 152
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: returned from
> files (rlm_files) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modcall[authorize]: module "files"
> returns ok for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: calling ldap
> (rlm_ldap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: - authorize
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: performing user authorization
> for lotta
> Tue Jul 10 11:32:35 2007 : Debug: radius_xlat:  '(cn=lotta)'
> Tue Jul 10 11:32:35 2007 : Debug: radius_xlat:  'ou=adm,ou=malmo,o=wifi'
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: attempting LDAP reconnection
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: (re)connect to 10.10.0.11:636,
> authentication 0
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: setting TLS mode to 1
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: setting TLS CACert File to
> /etc/freeradius/certs/WIFITREE_CA.b64
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: setting TLS CACert Directory to
> /etc/freeradius/certs/
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: setting TLS Cert File to
> /etc/freeradius/certs/WIFITREE_CA.b64
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: starting TLS
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: ldap_start_tls_s()
> Tue Jul 10 11:32:35 2007 : Error: rlm_ldap: could not start TLS Can't
> contact LDAP server
> Tue Jul 10 11:32:35 2007 : Error: rlm_ldap: (re)connection attempt failed
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: search failed
> Tue Jul 10 11:32:35 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
> Tue Jul 10 11:32:35 2007 : Debug:   modsingle[authorize]: returned from ldap
> (rlm_ldap) for request 1
> Tue Jul 10 11:32:35 2007 : Debug:   modcall[authorize]: module "ldap"
> returns fail for request 1
> Tue Jul 10 11:32:35 2007 : Debug: modcall: leaving group authorize (returns
> fail) for request 1
> Tue Jul 10 11:32:35 2007 : Debug: Finished request 1
> Tue Jul 10 11:32:35 2007 : Debug: Going to the next request
> Tue Jul 10 11:32:35 2007 : Debug: --- Walking the entire request list ---
> Tue Jul 10 11:32:35 2007 : Debug: Waking up in 6 seconds...
>
> Hope someone got any help.
> /Mr G
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: TLS cant connect ldap+freeradius+novell

Reply via email to