Thanks for the information. The stdout/console logs yielded no additional information from Perl’s LDAP library, still only "ERR: Could not open LDAP connection to *redacted*:636. Backing off for 60 seconds" so I decided to look into SSL issues as the next logical step.
It turns out that the server on which we are running Radiator is using a newer
version of OpenSSL that enforces against using weak DH keys (to prevent Logjam
attack). Using "openssl s_client -showcerts" to connect and show the server
SSL certificates, I could see openssl reporting that the certificate on the
LDAP server was using a certificate with a “too small” DH key:
140309439825560:error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh
key too small:s3_clnt.c:3615:
I resolved this by disallowing DH ciphers sent by the client in the radius
config:
SSLCiphers DEFAULT:!EXPORT:!LOW:!DH
Radiator is now able to connect (and bind) to the LDAP server over SSL.
—Jennifer
> On May 11, 2016, at 9:42 AM, Tuure Vartiainen <[email protected]> wrote:
>
> Hello,
>
>> On 11 May 2016, at 01:49, Jennifer Mehl <[email protected]> wrote:
>>
>> I’m working on setting up a new RADIUS client/handler, and am having trouble
>> diagnosing why connections from Radiator to an LDAP server are failing.
>>
>> Using the ldapsearch command from the same system, using the same
>> AuthDN/password yields a successful result.
>>
>> I’m wondering if there is an error being kicked off somewhere from the LDAP
>> or SSL Perl modules that I can’t see. Or is there an open/broken connection
>> to the LDAP server being cached somewhere that needs a “reset?”
>>
>> I’ve turned on Trace 5 in radius.cfg and “Debug 255” in the AuthByLDAP2
>> clause, but not seeing a lot in the logs about the reason for the failure.
>>
>
> Perl’s LDAP library’s debug output, which is enabled with “Debug 255”,
> can only be seen on a console when running Radiator on a foreground.
>
> E.g.
>
> $ perl radiusd -config /etc/radiator/radius.cfg -trace 4 -log_stdout
> -foreground
>
>
> BR
> --
> Tuure Vartiainen <[email protected]>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
