(RADIATOR) TLS connection to LDAP fails.
Hugh Irvine
hugh at open.com.au
Wed Oct 6 06:15:52 CDT 2004
Hello Rok -
You can set Debug 255 in the AuthBy LDAP2 clause.
regards
Hugh
On 6 Oct 2004, at 08:47, Rok Papez wrote:
> Hello!
>
> I'm trying to use OpenLDAP on some other host and I'm having problems
> with
> starting TLS. If I comment the UseTLS out, it works.
>
> radiator.cfg:
> -----------------
> <AuthBy LDAP2>
> Identifier ldap_users
> Version 3
> Host ldap.host.tld
> #UseSSL
> UseTLS
> SSLCAClientCert /.../radius.host.tld_cert.pem
> SSLCAClientKey passphrase
> SSLCAPath /.../cacert.pem
> SSLVerify require
> AuthDN xxx
> AuthPassword xxx
> BaseDN xxx
> UsernameAttr xxx
> ServerChecksPassword
> EAPType PAP
> NoDefault
> </AuthBy>
>
> radiator.log:
> ----------------
> Tue Oct 5 14:58:12 2004: DEBUG: Handling with Radius::AuthLDAP2:
> ldap_users
> Tue Oct 5 14:58:12 2004: INFO: Connecting to ldap.host.tld, port 389
> Tue Oct 5 14:58:12 2004: DEBUG: Starting TLS
> Tue Oct 5 14:58:12 2004: ERR: StartTLS failed: Operations error
> Tue Oct 5 14:58:12 2004: ERR: Could not open LDAP connection to
> ldap.host.tld, port 389. Backing off for 600 seconds.
>
> OpenLDAP log:
> ----------------------
> Oct 5 14:57:57 ldap slapd[12506]: conn=73 fd=12 closed
> Oct 5 14:58:12 ldap slapd[12506]: conn=74 fd=12 ACCEPT from
> IP=x.x.x.x:55864 (IP=0.0.0.0:389)
> Oct 5 14:58:12 ldap slapd[12506]: conn=74 fd=12 closed
> Oct 5 14:58:20 ldap slapd[12506]: conn=75 fd=12 ACCEPT from
> IP=x.x.x.x:44673 (IP=0.0.0.0:389)
>
> OpenLDAP configuration:
> ------------------------------------
> allow bind_v2
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /.../cacert.pem
> TLSCertificateFile /.../ldap.host.tld_cert.pem
> TLSCertificateKeyFile /.../ldap.host.tld_key.pem
>
> ========================
> - The key file on LDAP is unencrypted
> - Radiator SSLCaClientCert certificate contains both public and
> private key, which is protected by passphrase. The docs
> were not clear what exactly should be in this file....
> - I googled for this error and found there might be incompatibility
> with IO::Socket:SSL and net-ldap. They were both upgraded,
> but no change :-/.
> - Radiator is 3.9
> - OpenLDAP is 2.1.21
>
>
> What could be a problem ? How to increase error report verbosity ? How
> can I debug the problem ?
>
> --
> best regards,
> Rok Papež.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list