(RADIATOR) TLS connection to LDAP fails.

Hugh Irvine hugh at open.com.au
Wed Oct 6 06:15:52 CDT 2004 

Hello Rok -

You can set Debug 255 in the AuthBy LDAP2 clause.

regards

Hugh


On 6 Oct 2004, at 08:47, Rok Papez wrote:

> Hello!
>
> I'm trying to use OpenLDAP on some other host and I'm having problems 
> with
> starting TLS. If I comment the UseTLS out, it works.
>
> radiator.cfg:
> -----------------
> <AuthBy LDAP2>
>         Identifier ldap_users
>         Version 3
>         Host ldap.host.tld
>         #UseSSL
>         UseTLS
>         SSLCAClientCert /.../radius.host.tld_cert.pem
>         SSLCAClientKey passphrase
>         SSLCAPath /.../cacert.pem
>         SSLVerify require
>         AuthDN xxx
>         AuthPassword xxx
>         BaseDN xxx
>         UsernameAttr xxx
>         ServerChecksPassword
>         EAPType PAP
>         NoDefault
> </AuthBy>
>
> radiator.log:
> ----------------
> Tue Oct  5 14:58:12 2004: DEBUG: Handling with Radius::AuthLDAP2: 
> ldap_users
> Tue Oct  5 14:58:12 2004: INFO: Connecting to ldap.host.tld, port 389
> Tue Oct  5 14:58:12 2004: DEBUG: Starting TLS
> Tue Oct  5 14:58:12 2004: ERR: StartTLS failed: Operations error
> Tue Oct  5 14:58:12 2004: ERR: Could not open LDAP connection to 
> ldap.host.tld, port 389. Backing off for 600 seconds.
>
> OpenLDAP log:
> ----------------------
> Oct  5 14:57:57 ldap slapd[12506]: conn=73 fd=12 closed
> Oct  5 14:58:12 ldap slapd[12506]: conn=74 fd=12 ACCEPT from 
> IP=x.x.x.x:55864 (IP=0.0.0.0:389)
> Oct  5 14:58:12 ldap slapd[12506]: conn=74 fd=12 closed
> Oct  5 14:58:20 ldap slapd[12506]: conn=75 fd=12 ACCEPT from 
> IP=x.x.x.x:44673 (IP=0.0.0.0:389)
>
> OpenLDAP configuration:
> ------------------------------------
> allow bind_v2
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /.../cacert.pem
> TLSCertificateFile /.../ldap.host.tld_cert.pem
> TLSCertificateKeyFile /.../ldap.host.tld_key.pem
>
> ========================
> - The key file on LDAP is unencrypted
> - Radiator SSLCaClientCert certificate contains both public and 
> private key, which is protected by passphrase. The docs
> were not clear what exactly should be in this file....
> - I googled for this error and found there might be incompatibility 
> with IO::Socket:SSL and net-ldap. They were both upgraded,
> but no change :-/.
> - Radiator is 3.9
> - OpenLDAP is 2.1.21
>
>
> What could be a problem ? How to increase error report verbosity ? How 
> can I debug the problem ?
>
> -- 
> best regards,
> Rok Papež.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: I am travelling this week, so there may be delays in our 
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list