Hi Heikki, many thanks for your reply!
I modified Ldap.pm (debug output for IO::Socket::SSL). Configuration snippet: ----------------------------------- <AuthBy GROUP> Identifier ldap123 AuthByPolicy ContinueWhileAccept <AuthBy LDAP2> Host kit-dc-04.kit.edu Port 636 Version 3 UseSSL SSLCAFile %D/certificates/ca.pem Timeout 3 ... </AuthBy> <AuthBy ...> .... </AuthBy> </AuthBy> <Handler ...> RewriteFunction file:"%D/hooks/email2sam.pl" AuthBy ldap123 ... </Handler> ----------------------------------- file:"%D/hooks/email2sam.pl": In this RewriteFunction I need an LDAPS connection, too. If it's not the same host the second authentication with this handler (after restart of radiator) will fail. email2sam.pl: ------------------------------ sub { my $host = "kit-ad.scc.kit.edu"; require Net::LDAPS; my $ldap = Net::LDAPS->new( $host, port => 636, timeout => 3, verify => 'require', cafile => '/etc/radiator/certificates/ca.pem') or return $user; ... my $user_new = ... return $user_new; } ------------------------------ In the IO::Socket:SSL debug log you see the two connections. The first is the RewriteFunction's one and the second the AuthBy's one. * 1st authentication with this handler: a.) RewriteFunction email2sam [...] DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-ad.scc.kit.edu cn=kit-ad.scc.kit.edu alt=1 f...@scc.kit.edu DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:501: ssl handshake done b.) AuthBy LDAP2 [...] DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-dc-04.kit.edu alt=2 kit-dc-04.kit.edu 2 kit-dc.kit.edu DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:501: ssl handshake done => Everything ok. * 2nd authentication with this handler: a.) RewriteFunction email2sam [...] DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-ad.scc.kit.edu alt=1 f...@scc.kit.edu DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1328: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed DEBUG: .../IO/Socket/SSL.pm:452: fatal SSL error: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed DEBUG: .../IO/Socket/SSL.pm:1328: IO::Socket::IP configuration failed error:00000000:lib(0):func(0):reason(0) b.) AuthBy LDAP2 [...] DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-dc-04.kit.edu alt=2 kit-dc-04.kit.edu 2 kit-dc.kit.edu DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:501: ssl handshake done => RewriteFunction's LDAP connection failed because of wrong identity. It seems that the identity is cached from the AuthBy LDAP2 before. I'm even not sure what this identity in an SSL connection means. So I'd be happy if someone has an idea how this can be fixed. Best Regards Klara On Tue, Nov 12, 2013 at 12:23:53AM +0100, Heikki Vatiainen wrote: > On 11/11/2013 11:58 PM, Klara Mall wrote: > > > With this configuration the connection fails about half of the time (not > > always) with: > > "ERR: Could not open LDAP connection to ad.example.com:636. Backing off > > for 600 seconds." > > > > I had a look at Ldap.pm from the radiator code and wrote this little > > Perl program: > > ------------------- > > Hello Klara, > > If you add the 'use ...' before require and then run the script, do you > get debug output from IO::Socket::SSL? I have not tried this myself, but > my understanding is IO::Socket::SSL is what Net::LDAP uses for LDAPS. > > If you do get debug output, you could try modifying Ldap.pm a bit more > and make it load IO::Socket::SSL with debug enabled. > > When you then run radiusd with -foreground and -log_stdout options, you > should see the debug output when LDAPS connections are created. > > Maybe this debug would show what goes wrong. > > use IO::Socket::SSL qw(debug3); > > > require Net::LDAPS; > > > > my $host = "ad.example.com"; > > > > my $ldap = new Net::LDAPS($host, > > port => 636, > > verify => 'require', > > localaddr => '', > > multihomed => 1, > > version => 3, > > inet6 => 0, > > timeout => 3, > > cafile => > > '/etc/radiator/certificates/deutsche-ca.pem'); > > if (!$ldap) { print "error\n"; exit; } > > else { print "success\n"; exit; } > > > Thanks, > Heikki > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator