(RADIATOR) TLS connection to LDAP fails.

Rok Papez rok.papez at arnes.si
Wed Oct 6 01:47:49 CDT 2004 

Hello!

I'm trying to use OpenLDAP on some other host and I'm having problems with
starting TLS. If I comment the UseTLS out, it works.

radiator.cfg:
-----------------
<AuthBy LDAP2>
        Identifier ldap_users
        Version 3
        Host ldap.host.tld
        #UseSSL
        UseTLS
        SSLCAClientCert /.../radius.host.tld_cert.pem
        SSLCAClientKey passphrase
        SSLCAPath /.../cacert.pem
        SSLVerify require
        AuthDN xxx
        AuthPassword xxx
        BaseDN xxx
        UsernameAttr xxx
        ServerChecksPassword
        EAPType PAP
        NoDefault
</AuthBy>

radiator.log:
----------------
Tue Oct  5 14:58:12 2004: DEBUG: Handling with Radius::AuthLDAP2: ldap_users
Tue Oct  5 14:58:12 2004: INFO: Connecting to ldap.host.tld, port 389
Tue Oct  5 14:58:12 2004: DEBUG: Starting TLS
Tue Oct  5 14:58:12 2004: ERR: StartTLS failed: Operations error
Tue Oct  5 14:58:12 2004: ERR: Could not open LDAP connection to ldap.host.tld, port 389. Backing off for 600 seconds.

OpenLDAP log:
----------------------
Oct  5 14:57:57 ldap slapd[12506]: conn=73 fd=12 closed
Oct  5 14:58:12 ldap slapd[12506]: conn=74 fd=12 ACCEPT from IP=x.x.x.x:55864 (IP=0.0.0.0:389)
Oct  5 14:58:12 ldap slapd[12506]: conn=74 fd=12 closed
Oct  5 14:58:20 ldap slapd[12506]: conn=75 fd=12 ACCEPT from IP=x.x.x.x:44673 (IP=0.0.0.0:389)

OpenLDAP configuration:
------------------------------------
allow bind_v2

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /.../cacert.pem
TLSCertificateFile /.../ldap.host.tld_cert.pem
TLSCertificateKeyFile /.../ldap.host.tld_key.pem

========================
- The key file on LDAP is unencrypted
- Radiator SSLCaClientCert certificate contains both public and private key, which is protected by passphrase. The docs
were not clear what exactly should be in this file....
- I googled for this error and found there might be incompatibility with IO::Socket:SSL and net-ldap. They were both upgraded,
but no change :-/.
- Radiator is 3.9
- OpenLDAP is 2.1.21


What could be a problem ? How to increase error report verbosity ? How can I debug the problem ?

-- 
best regards,
Rok Papež.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list