Hi Mike,
got the solution for the StartTLS problem with AuthLDAP2:
Karl Gaissmaier schrieb:
>
> Hi Mike or Hugh,
>
> I'd like to use AuthLDAP2 with StartTLS. I can't find any doku
> in the reference manual but in the code I find the parameters.
>
> Anyway, if I try it with:
>
> <Handler Client-Identifier=localhost, Called-Station-Id=DIALIN>
> <AuthBy LDAP2>
> Host xxx.yyy.uni-ulm.de
> Port zzzz
> Version 3
> UseTLS
> SSLVerify none
> AuthDN cn=foo,ou=bar,ou=baz,dc=uni-ulm,dc=de
> AuthPassword mysecret
> NoDefault
> BaseDN ou=foo,dc=uni-ulm,dc=de
> Scope one
> UsernameAttr uid
> PasswordAttr userpassword
> </AuthBy>
> </Handler>
>
> I get the following error:
>
> Mon Jul 1 17:08:32 2002: DEBUG: Handling request with Handler
> 'Client-Identifier=localhost, Called-
> Station-Id=DIALIN'
> Mon Jul 1 17:08:32 2002: DEBUG: Deleting session for dialin, 0.0.0.0, 0
> Mon Jul 1 17:08:32 2002: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Jul 1 17:08:32 2002: INFO: Connecting to frago.rz.uni-ulm.de, port 9999
> Mon Jul 1 17:08:32 2002: DEBUG: Starting TLS
> Mon Jul 1 17:08:32 2002: ERR: StartTLS failed: Operations error
the problem is with inconsistencies between the newest versions of
IO::Socket::SSL and net-ldap as it is already discussed in the
perl-ldap-dev mailinglist.
I downgraded to IO::Socket::SSL 0.80 and it works so far:
Wed Jul 3 18:36:37 2002: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jul 3 18:36:37 2002: INFO: Connecting to foo.bar.uni-ulm.de, port xyz
Wed Jul 3 18:36:37 2002: DEBUG: Starting TLS
Wed Jul 3 18:36:38 2002: INFO: StartTLS negotiated with cipher mode DES-CBC3-SHA
Wed Jul 3 18:36:38 2002: INFO: Attempting to bind with cn=xyzxyz,ou=baz
,ou=foo,dc=uni-ulm,dc=de, xyzxyz (server asdf.as.uni-ulm.de:9999)
Wed Jul 3 18:36:38 2002: DEBUG: LDAP got result for cn=xyzxyz,ou=baz,dc=uni-
ulm,dc=de
Wed Jul 3 18:36:38 2002: DEBUG: LDAP got userPassword: {CRYPT}.........
Wed Jul 3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with xyzxyz
Wed Jul 3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jul 3 18:36:38 2002: DEBUG: Access accepted for xyzxyz
the relevant radiator config file snippet is (no other things must be
configured dealing with certs and keys):
Version 3
UseTLS
SSLVerify none
SSLCAFile
I use verify=none, cause I will not check in the moment the server certificate.
Anyway I have to set the argument SSLCAFile with an empty value, elsewhere
the radiator crashes with the following error message:
Can't call method "get_context_handle" without a package or object reference
at /radiator/perl/lib/site_perl/5.6.1/IO/Socket/SSL.pm line 602.
I think this could be corrected by Mike with an proper SSLCAFile empty default
value, if the SSLVerify is "none" or better validation of the config input before
calling the underlying modules like Net::LDAP and Net::LDAPS.
Regards
Charly
--
Karl Gaissmaier Computing Center,University of Ulm,Germany
Email:[EMAIL PROTECTED] Network Administration
Tel.: ++49 731 50-22499
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
