Re: RADIUS + LDAP + SSL
> I realize the second bind is for authentication. However, it's trying > to bind as Usuari instead of the numeric UserID mentioned elsewhere > in your log. It looks like this might be related to some sort of group > authentication. It also looks like the LDAP bind doesn't return failure, > but simply times out. (Note there is no mention of LDAP returning, just > the modcall: group authtype returns reject). Yes, It is possible... When I access to my LDAP server as https://ldap.server.com:636 I must install a CA certficate o selfsigned certificated onto client in order to access. On FreeRadius I haven't configured this (I don't kwno how). I think modcall returns reject, because it can't authenticate SSL certficate presented by LDAP server. Anyone has been able to use Radius + SSL + LDAP using FreeRadius. ? __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
"Ron Wahler" <[EMAIL PROTECTED]> wrote: > Would the following error indicate FR can't find the tls module. No, it looks to me more like the LDAP server you're using doesn't support TLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS + LDAP + SSL
Would the following error indicate FR can't find the tls module. I have installed the library files built by OpenSSL into the lib Directory FR looks in. Is there something in radiusd.conf I need to set up ? Radiusd.conf port = 389 start_tls = yes tls_mode = yes rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.11.7.37:389, authentication 0 rlm_ldap: setting TLS mode to 4 rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Critical extension is unavailable rlm_ldap: (re)connection attempt failed rlm_ldap: search failed thanks, Ron. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
I realize the second bind is for authentication. However, it's trying to bind as Usuari instead of the numeric UserID mentioned elsewhere in your log. It looks like this might be related to some sort of group authentication. It also looks like the LDAP bind doesn't return failure, but simply times out. (Note there is no mention of LDAP returning, just the modcall: group authtype returns reject). Owen --On Wednesday, June 25, 2003 1:07 PM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote: Hi Owen, rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 is a line that says: rlm_ldap: setting TLS mode to 1 This leads me to believe that it is trying to start TLS as well, but I could be wrong. I haven't read through the code carefully. Always It put on log (re)connect, I think this is normal behaivour. If you see my logs, in both test, qhen I use LDAP and when I use LDAPs It logs (re)connect. The only diference between LDAP test and LDAPs test is that on the second, It tries to connect twice, see my logs... >> > rlm_ldap: attempting LDAP reconnection >> > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 It connects once, and search the user who is attempting to remote access >> > rlm_ldap: setting TLS mode to 1 >> > rlm_ldap: bind as / to albinoni.upc.es:636 >> > rlm_ldap: waiting for bind result ... >> > rlm_ldap: performing search in o=LCX, with filter (uid=0010) >> > rlm_ldap: looking for check items in directory... >> > rlm_ldap: looking for reply items in directory... >> > rlm_ldap: user 0010 authorized to use remote access >> > ldap_release_conn: Release Id: 0 >> > modcall[authorize]: module "ldap" returns ok It find him, Now It tries to authenticate >> > modcall: group authorize returns ok >> > rad_check_password: Found Auth-Type LDAP >> > auth: type "LDAP" >> > modcall: entering group authtype >> > rlm_ldap: - authenticate >> > rlm_ldap: login attempt by "0010" with password "hola123" >> > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX >> > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 >> > rlm_ldap: setting TLS mode to 1 >> > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to > albinoni.upc.es:636 >> > rlm_ldap: waiting for bind result ... >> > modcall[authenticate]: module "ldap" returns reject >> > modcall: group authtype returns reject >> > auth: Failed to validate the user. It can't authenticate user, and It rejects... Uhm... I don't know how configure it... and where is the problem... Also, I'm not sure why it's trying to bind as Usuari in the second bind. It looks like the bind didn't return and the module returned reject due to timeout, so it might be that with SSL your LDAP server isn't responding Uhmm... I think that isn't the problem... Second bind is for autehntication. __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
Hi Owen, > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 > > is a line that says: > > rlm_ldap: setting TLS mode to 1 > > This leads me to believe that it is trying to start TLS as well, but I could > be wrong. I haven't read through the code carefully. Always It put on log (re)connect, I think this is normal behaivour. If you see my logs, in both test, qhen I use LDAP and when I use LDAPs It logs (re)connect. The only diference between LDAP test and LDAPs test is that on the second, It tries to connect twice, see my logs... > >> > rlm_ldap: attempting LDAP reconnection > >> > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 It connects once, and search the user who is attempting to remote access > >> > rlm_ldap: setting TLS mode to 1 > >> > rlm_ldap: bind as / to albinoni.upc.es:636 > >> > rlm_ldap: waiting for bind result ... > >> > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > >> > rlm_ldap: looking for check items in directory... > >> > rlm_ldap: looking for reply items in directory... > >> > rlm_ldap: user 0010 authorized to use remote access > >> > ldap_release_conn: Release Id: 0 > >> > modcall[authorize]: module "ldap" returns ok It find him, Now It tries to authenticate > >> > modcall: group authorize returns ok > >> > rad_check_password: Found Auth-Type LDAP > >> > auth: type "LDAP" > >> > modcall: entering group authtype > >> > rlm_ldap: - authenticate > >> > rlm_ldap: login attempt by "0010" with password "hola123" > >> > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > >> > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 > >> > rlm_ldap: setting TLS mode to 1 > >> > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to > > albinoni.upc.es:636 > >> > rlm_ldap: waiting for bind result ... > >> > modcall[authenticate]: module "ldap" returns reject > >> > modcall: group authtype returns reject > >> > auth: Failed to validate the user. It can't authenticate user, and It rejects... Uhm... I don't know how configure it... and where is the problem... > Also, I'm not sure why it's trying to bind as Usuari in the second > bind. It looks like the bind didn't return and the module returned reject > due to timeout, so it might be that with SSL your LDAP server isn't > responding Uhmm... I think that isn't the problem... Second bind is for autehntication. __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + LDAP + SSL
Well... Right after rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 is a line that says: rlm_ldap: setting TLS mode to 1 This leads me to believe that it is trying to start TLS as well, but I could be wrong. I haven't read through the code carefully. Also, I'm not sure why it's trying to bind as Usuari in the second bind. It looks like the bind didn't return and the module returned reject due to timeout, so it might be that with SSL your LDAP server isn't responding fast enough. Owen --On Monday, June 23, 2003 6:58 PM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote: Owen, I've got tls disabled. But I think I may configure something in openSSL Isnt' it? Thanks __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 [EMAIL PROTECTED] wrote on 23/06/2003 16:08:35: If you're using Port 636, you probably need to set TLS off. I'm not sure starting TLS over SSL works. Even if it does, it's kind of redundant. Owen --On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote: > Hiya, > > Finally I've installed openSSL, but I think I'm forgetting something, > because I can authenticate via LDAP over SSL. > > I've installed openSSL (openssl-0.9.7b). > I've installed Freeradius (freeradius-0.8.1) as: > > tar -zxvf freeradius.tar.gz > cd freeradius-0.8.1 > ./configure --prefix=/opt/freeradius > make > make install > > Then I configured radiusd.conf (see file below). > > First with port=389 (LDAP without SSL): > > rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, > length=60 > User-Name = "0010" > User-Password = "hola123" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > rad_lowerpair: User-Name now '0010' > rad_lowerpair: User-Password now 'hola123' > modcall: entering group authorize > rlm_ldap: - authorize > rlm_ldap: performing user authorization for 0010 > radius_xlat: '(uid=0010)' > radius_xlat: 'o=LCX' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user 0010 authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group authtype > rlm_ldap: - authenticate > rlm_ldap: login attempt by "0010" with password "hola123" > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user 0010 authenticated succesfully > modcall[authenticate]: module "ldap" returns ok > modcall: group authtype returns ok > Sending Access-Accept of id 90 to 127.0.0.1:32805 > > It works great. I can authenticate without any problem. > > Now I'll try with LDAP over SSL, as you can see I haven't installed any > selfsigned o CA certificate, but I can't see any message about it. > > Now port=636: > > rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, > length=60 > User-Name = "0010" > User-Password = "hola123" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > rad_lowerpair: User-Name now '0010' > rad_lowerpair: User-Password now 'hola123' > modcall: entering group authorize > rlm_ldap: - authorize > rlm_ldap: performing user authorization for 0010 > radius_xlat: '(uid=0010)' > radius_xlat: 'o=LCX' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as / to albinoni.upc.es:636 > rlm_ldap: waiting for bind result ... > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user 0010 authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group authtype > rlm_ldap: - authenticate > rlm_ldap: login attempt by "0010" with password "hola123" > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 > rlm_ldap: waiting for bind result ... > modcall[authenticate]: module "ldap" returns reject > modcall: group authtype returns reject > auth: Failed to validate the user. > Delaying request
Re: RADIUS + LDAP + SSL
Owen, I've got tls disabled. But I think I may configure something in openSSL Isnt' it? Thanks __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 [EMAIL PROTECTED] wrote on 23/06/2003 16:08:35: > If you're using Port 636, you probably need to set TLS off. I'm not sure > starting TLS over SSL works. Even if it does, it's kind of redundant. > > Owen > > > --On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" > <[EMAIL PROTECTED]> wrote: > > > Hiya, > > > > Finally I've installed openSSL, but I think I'm forgetting something, > > because I can authenticate via LDAP over SSL. > > > > I've installed openSSL (openssl-0.9.7b). > > I've installed Freeradius (freeradius-0.8.1) as: > > > > tar -zxvf freeradius.tar.gz > > cd freeradius-0.8.1 > > ./configure --prefix=/opt/freeradius > > make > > make install > > > > Then I configured radiusd.conf (see file below). > > > > First with port=389 (LDAP without SSL): > > > > rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, > > length=60 > > User-Name = "0010" > > User-Password = "hola123" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 1 > > rad_lowerpair: User-Name now '0010' > > rad_lowerpair: User-Password now 'hola123' > > modcall: entering group authorize > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for 0010 > > radius_xlat: '(uid=0010)' > > radius_xlat: 'o=LCX' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user 0010 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type LDAP > > auth: type "LDAP" > > modcall: entering group authtype > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "0010" with password "hola123" > > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > > rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 > > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: user 0010 authenticated succesfully > > modcall[authenticate]: module "ldap" returns ok > > modcall: group authtype returns ok > > Sending Access-Accept of id 90 to 127.0.0.1:32805 > > > > It works great. I can authenticate without any problem. > > > > Now I'll try with LDAP over SSL, as you can see I haven't installed any > > selfsigned o CA certificate, but I can't see any message about it. > > > > Now port=636: > > > > rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, > > length=60 > > User-Name = "0010" > > User-Password = "hola123" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 1 > > rad_lowerpair: User-Name now '0010' > > rad_lowerpair: User-Password now 'hola123' > > modcall: entering group authorize > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for 0010 > > radius_xlat: '(uid=0010)' > > radius_xlat: 'o=LCX' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 > > rlm_ldap: setting TLS mode to 1 > > rlm_ldap: bind as / to albinoni.upc.es:636 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: performing search in o=LCX, with filter (uid=0010) > > rlm_ldap: looking for check items in directory... > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user 0010 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type LDAP > > auth: type "LDAP" > > modcall: entering group authtype > > rlm_ldap: - authenticate > > rlm_ldap: login attempt by "0010" with password "hola123" > > rlm_ldap: user DN: CN=Usuari Proves10,O=LCX > > rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 > > rlm_ldap: setting TLS mode to 1 > > rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 > > rlm_ldap: waiting for bind result ... > > modcall[authenticate]: module "ldap" returns reject > > modcall: group authtype returns reject > > auth: Failed to validate the user. > > Delaying request 0 for 1 seconds > > Finished request 0 > > > > I think RADIUS can connect to LDAP server over SSL, because it can do the > > first filter, but qhen it tries to authenticate it is missing something... > > > > More help! :-) > > > > > > > > > > __ > > Paco Orozco ([EMAIL PROTECTED]) > > Divisió de Telecomunicacions > > UPCNet > > Edifici V
Re: RADIUS + LDAP + SSL
If you're using Port 636, you probably need to set TLS off. I'm not sure starting TLS over SSL works. Even if it does, it's kind of redundant. Owen --On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote: Hiya, Finally I've installed openSSL, but I think I'm forgetting something, because I can authenticate via LDAP over SSL. I've installed openSSL (openssl-0.9.7b). I've installed Freeradius (freeradius-0.8.1) as: tar -zxvf freeradius.tar.gz cd freeradius-0.8.1 ./configure --prefix=/opt/freeradius make make install Then I configured radiusd.conf (see file below). First with port=389 (LDAP without SSL): rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 rlm_ldap: waiting for bind result ... rlm_ldap: user 0010 authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group authtype returns ok Sending Access-Accept of id 90 to 127.0.0.1:32805 It works great. I can authenticate without any problem. Now I'll try with LDAP over SSL, as you can see I haven't installed any selfsigned o CA certificate, but I can't see any message about it. Now port=636: rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, length=60 User-Name = "0010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '0010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 0010 radius_xlat: '(uid=0010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as / to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=LCX, with filter (uid=0010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 0010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "0010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... modcall[authenticate]: module "ldap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 I think RADIUS can connect to LDAP server over SSL, because it can do the first filter, but qhen it tries to authenticate it is missing something... More help! :-) __ Paco Orozco ([EMAIL PROTECTED]) Divisió de Telecomunicacions UPCNet Edifici Vèrtex - Pl. Eusebi Güell, 6 Telèfon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html