(RADIATOR) AuthLDAP2, missing manual pages and problems with UseTLS

Mike McCauley mikem at open.com.au
Wed Jul 3 17:29:22 CDT 2002


Hi Karl,

thanks for your report.

We have now made the default for SSLCAFile an empty string, as you suggested.

Thanks again for all your contributions.

Cheers.

On Thu, 4 Jul 2002 02:55, Karl Gaissmaier wrote:
> Hi Mike,
>
> got the solution for the StartTLS problem with AuthLDAP2:
>
> Karl Gaissmaier schrieb:
> > Hi Mike or Hugh,
> >
> > I'd like to use AuthLDAP2 with StartTLS. I can't find any doku
> > in the reference manual but in the code I find the parameters.
> >
> > Anyway, if I try it with:
> >
> > <Handler Client-Identifier=localhost, Called-Station-Id=DIALIN>
> >         <AuthBy LDAP2>
> >                 Host                    xxx.yyy.uni-ulm.de
> >                 Port                    zzzz
> >                 Version                 3
> >                 UseTLS
> >                 SSLVerify               none
> >                 AuthDN                 
> > cn=foo,ou=bar,ou=baz,dc=uni-ulm,dc=de AuthPassword            mysecret
> >                 NoDefault
> >                 BaseDN                  ou=foo,dc=uni-ulm,dc=de
> >                 Scope                   one
> >                 UsernameAttr            uid
> >                 PasswordAttr            userpassword
> >         </AuthBy>
> > </Handler>
> >
> > I get the following error:
> >
> > Mon Jul  1 17:08:32 2002: DEBUG: Handling request with Handler
> > 'Client-Identifier=localhost, Called-
> > Station-Id=DIALIN'
> > Mon Jul  1 17:08:32 2002: DEBUG:  Deleting session for dialin, 0.0.0.0, 0
> > Mon Jul  1 17:08:32 2002: DEBUG: Handling with Radius::AuthLDAP2:
> > Mon Jul  1 17:08:32 2002: INFO: Connecting to frago.rz.uni-ulm.de, port
> > 9999 Mon Jul  1 17:08:32 2002: DEBUG: Starting TLS
> > Mon Jul  1 17:08:32 2002: ERR: StartTLS failed: Operations error
>
> the problem is with inconsistencies between the newest versions of
> IO::Socket::SSL and net-ldap as it is already discussed in the
> perl-ldap-dev mailinglist.
>
> I downgraded to IO::Socket::SSL 0.80 and it works so far:
>
> Wed Jul  3 18:36:37 2002: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jul  3 18:36:37 2002: INFO: Connecting to foo.bar.uni-ulm.de, port xyz
> Wed Jul  3 18:36:37 2002: DEBUG: Starting TLS
> Wed Jul  3 18:36:38 2002: INFO: StartTLS negotiated with cipher mode
> DES-CBC3-SHA Wed Jul  3 18:36:38 2002: INFO: Attempting to bind with
> cn=xyzxyz,ou=baz ,ou=foo,dc=uni-ulm,dc=de, xyzxyz (server
> asdf.as.uni-ulm.de:9999)
> Wed Jul  3 18:36:38 2002: DEBUG: LDAP got result for
> cn=xyzxyz,ou=baz,dc=uni- ulm,dc=de
> Wed Jul  3 18:36:38 2002: DEBUG: LDAP got userPassword: {CRYPT}.........
> Wed Jul  3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> xyzxyz Wed Jul  3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Wed Jul  3 18:36:38 2002: DEBUG: Access accepted for xyzxyz
>
> the relevant radiator config file snippet is (no other things must be
> configured dealing with certs and keys):
>
>                 Version                 3
>                 UseTLS
>                 SSLVerify               none
>                 SSLCAFile
>
> I use verify=none, cause I will not check in the moment the server
> certificate. Anyway I have to set the argument SSLCAFile with an empty
> value, elsewhere the radiator crashes with the following error message:
>
> Can't call method "get_context_handle" without a package or object
> reference at /radiator/perl/lib/site_perl/5.6.1/IO/Socket/SSL.pm line 602.
>
>
> I think this could be corrected by Mike with an proper SSLCAFile empty
> default value, if the SSLVerify is "none" or better validation of the
> config input before calling the underlying modules like Net::LDAP and
> Net::LDAPS.
>
> Regards
> 	Charly

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list