(RADIATOR) AuthLDAP2, missing manual pages and problems with UseTLS

Karl Gaissmaier karl.gaissmaier at rz.uni-ulm.de
Wed Jul 3 11:55:48 CDT 2002


Hi Mike,

got the solution for the StartTLS problem with AuthLDAP2:

Karl Gaissmaier schrieb:
> 
> Hi Mike or Hugh,
> 
> I'd like to use AuthLDAP2 with StartTLS. I can't find any doku
> in the reference manual but in the code I find the parameters.
> 
> Anyway, if I try it with:
> 
> <Handler Client-Identifier=localhost, Called-Station-Id=DIALIN>
>         <AuthBy LDAP2>
>                 Host                    xxx.yyy.uni-ulm.de
>                 Port                    zzzz
>                 Version                 3
>                 UseTLS
>                 SSLVerify               none
>                 AuthDN                  cn=foo,ou=bar,ou=baz,dc=uni-ulm,dc=de
>                 AuthPassword            mysecret
>                 NoDefault
>                 BaseDN                  ou=foo,dc=uni-ulm,dc=de
>                 Scope                   one
>                 UsernameAttr            uid
>                 PasswordAttr            userpassword
>         </AuthBy>
> </Handler>
> 
> I get the following error:
> 
> Mon Jul  1 17:08:32 2002: DEBUG: Handling request with Handler
> 'Client-Identifier=localhost, Called-
> Station-Id=DIALIN'
> Mon Jul  1 17:08:32 2002: DEBUG:  Deleting session for dialin, 0.0.0.0, 0
> Mon Jul  1 17:08:32 2002: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Jul  1 17:08:32 2002: INFO: Connecting to frago.rz.uni-ulm.de, port 9999
> Mon Jul  1 17:08:32 2002: DEBUG: Starting TLS
> Mon Jul  1 17:08:32 2002: ERR: StartTLS failed: Operations error

the problem is with inconsistencies between the newest versions of 
IO::Socket::SSL and net-ldap as it is already discussed in the
perl-ldap-dev mailinglist.

I downgraded to IO::Socket::SSL 0.80 and it works so far:

Wed Jul  3 18:36:37 2002: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jul  3 18:36:37 2002: INFO: Connecting to foo.bar.uni-ulm.de, port xyz
Wed Jul  3 18:36:37 2002: DEBUG: Starting TLS
Wed Jul  3 18:36:38 2002: INFO: StartTLS negotiated with cipher mode DES-CBC3-SHA
Wed Jul  3 18:36:38 2002: INFO: Attempting to bind with cn=xyzxyz,ou=baz
,ou=foo,dc=uni-ulm,dc=de, xyzxyz (server asdf.as.uni-ulm.de:9999)
Wed Jul  3 18:36:38 2002: DEBUG: LDAP got result for cn=xyzxyz,ou=baz,dc=uni-
ulm,dc=de
Wed Jul  3 18:36:38 2002: DEBUG: LDAP got userPassword: {CRYPT}.........
Wed Jul  3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with xyzxyz
Wed Jul  3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jul  3 18:36:38 2002: DEBUG: Access accepted for xyzxyz

the relevant radiator config file snippet is (no other things must be
configured dealing with certs and keys):

                Version                 3
                UseTLS
                SSLVerify               none
                SSLCAFile

I use verify=none, cause I will not check in the moment the server certificate.
Anyway I have to set the argument SSLCAFile with an empty value, elsewhere
the radiator crashes with the following error message:

Can't call method "get_context_handle" without a package or object reference
at /radiator/perl/lib/site_perl/5.6.1/IO/Socket/SSL.pm line 602.


I think this could be corrected by Mike with an proper SSLCAFile empty default
value, if the SSLVerify is "none" or better validation of the config input before
calling the underlying modules like Net::LDAP and Net::LDAPS.

Regards
	Charly


-- 
Karl Gaissmaier          Computing Center,University of Ulm,Germany
Email:karl.gaissmaier at rz.uni-ulm.de          Network Administration
Tel.: ++49 731 50-22499
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list