Re: authenticating to ldaps/tls
Peter Param a écrit :
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port
636) or an LDAP server answering on LDAP connections that are then
secured by Start-TLS (LDAP on port 389 + Start-TLS) ?
These are 2 different options.
ldap people_search {
server = ldap1.stvincents.com.au
port = 636
== This implies an ldaps server
identity = cn=admin,o=org,c=au
password = ***
filter = (cn=%u)
basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
tls {
tls_mode = yes
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = yes
== this is not compliant with and ldaps server
use start_tls=no
By the way, Alan and other Gurus, I think there is a small typo in the
comment:
# using ldaps (port 689) connections
Should be
# using ldaps (port 636) connections
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636)
...but it also supports the latter even tho an acl is set to not allow port 389
use start_tls=no fails also, it seems to have a problem with the cert and/or
cert directory:
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
cheers
Peter
thibault.lem...@supelec.fr 12/02/2009 9:04 pm
Peter Param a écrit :
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port
636) or an LDAP server answering on LDAP connections that are then
secured by Start-TLS (LDAP on port 389 + Start-TLS) ?
These are 2 different options.
ldap people_search {
server = ldap1.stvincents.com.au
port = 636
== This implies an ldaps server
identity = cn=admin,o=org,c=au
password = ***
filter = (cn=%u)
basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
tls {
tls_mode = yes
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = yes
== this is not compliant with and ldaps server
use start_tls=no
By the way, Alan and other Gurus, I think there is a small typo in the
comment:
# using ldaps (port 689) connections
Should be
# using ldaps (port 636) connections
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
Peter Param a écrit : it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389 use start_tls=no fails also, Maybe but keep it to no it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success ?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html (but this is a rather old post) rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ -- cacertfile= /etc/openssl/certs/SVMHS_CA_SSL_Server.cer - The doc states that tls_cacertfile is a a PEM-encoded file: I think your CAcert is a DER encoded one (extension.cer usually is). --- cacertdir = /etc/openssl/certs/ --- The doc states that tls_cacertdir is in hash format (see openssl verify) Also check that the directory and files are accessible/readable by the user running the radius server. My 2 cents,... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
use start_tls=no fails also, Maybe but keep it to no did that, still fails with the same message it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success ?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html (but this is a rather old post) The version openssl I'm using is: OpenSSL 0.9.8i 15 Sep 2008 The CA certificate is valid for the ldap server because the client connects when I test with... openssl s_client -CAfile SVMHS_CA_SSL_Server.pem -connect ldap1.stvincents.com.au:636 Freeradius was compiled as follows: /configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --with-radacctdir=/var/log/freeradius/radacct --with-raddbdir=/etc/freeradius --with-openssl-includes=/etc/include/openssl --with-openssl-libraries=/usr/lib cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating to ldaps/tls
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
My freeradius version:
—
radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Nov 21
2008 at 07:54:33
My ldap module settings:
—---
ldap people_search {
server = ldap1.stvincents.com.au
port = 636
identity = cn=admin,o=org,c=au
password = ***
filter = (cn=%u)
basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
tls {
tls_mode = yes
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = yes
cacertfile=
/etc/openssl/certs/SVMHS_CA_SSL_Server.cer note: chained CA cert
cacertdir = /etc/openssl/certs/
#certfile = /etc/openssl/certs/spud-jr.cer
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
#never (don't even bother trying)
#allow (try, but don't fail if the cerificate
# can't be verified)
#demand (fail if the certificate doesn't verify.)
#
# The default is allow
require_cert = allow
}
-X output messages:
—-
[people_search] performing user authorization for pparam
[people_search] expand: (cn=%u) - (cn=pparam)
[people_search] expand: ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au -
ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert File to /etc/openssl/certs/SVMHS_CA_SSL_Server.cer
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
/etc/openssl/certs/SVMHS_CA_SSL_Server.cer
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Success
rlm_ldap: (re)connection attempt failed
[people_search] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[people_search] returns fail
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested
action.
Delaying reject of request 0 for 1 seconds
Going to the next request
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
