(RADIATOR) TLS connection to LDAP fails.
Mike McCauley
mikem at open.com.au
Wed Oct 6 06:35:02 CDT 2004
Hello Rok,
You might try testing the OpenLDAP server configuration using the suggestions
in http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
If that is successful, please let me know and we can look further on the
client (Radiator) side.
On Wednesday 06 October 2004 16:47, Rok Papez wrote:
> Hello!
>
> I'm trying to use OpenLDAP on some other host and I'm having problems with
> starting TLS. If I comment the UseTLS out, it works.
>
> radiator.cfg:
> -----------------
> <AuthBy LDAP2>
> Identifier ldap_users
> Version 3
> Host ldap.host.tld
> #UseSSL
> UseTLS
> SSLCAClientCert /.../radius.host.tld_cert.pem
> SSLCAClientKey passphrase
> SSLCAPath /.../cacert.pem
> SSLVerify require
> AuthDN xxx
> AuthPassword xxx
> BaseDN xxx
> UsernameAttr xxx
> ServerChecksPassword
> EAPType PAP
> NoDefault
> </AuthBy>
>
> radiator.log:
> ----------------
> Tue Oct 5 14:58:12 2004: DEBUG: Handling with Radius::AuthLDAP2:
> ldap_users Tue Oct 5 14:58:12 2004: INFO: Connecting to ldap.host.tld,
> port 389 Tue Oct 5 14:58:12 2004: DEBUG: Starting TLS
> Tue Oct 5 14:58:12 2004: ERR: StartTLS failed: Operations error
> Tue Oct 5 14:58:12 2004: ERR: Could not open LDAP connection to
> ldap.host.tld, port 389. Backing off for 600 seconds.
>
> OpenLDAP log:
> ----------------------
> Oct 5 14:57:57 ldap slapd[12506]: conn=73 fd=12 closed
> Oct 5 14:58:12 ldap slapd[12506]: conn=74 fd=12 ACCEPT from
> IP=x.x.x.x:55864 (IP=0.0.0.0:389) Oct 5 14:58:12 ldap slapd[12506]:
> conn=74 fd=12 closed
> Oct 5 14:58:20 ldap slapd[12506]: conn=75 fd=12 ACCEPT from
> IP=x.x.x.x:44673 (IP=0.0.0.0:389)
>
> OpenLDAP configuration:
> ------------------------------------
> allow bind_v2
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /.../cacert.pem
> TLSCertificateFile /.../ldap.host.tld_cert.pem
> TLSCertificateKeyFile /.../ldap.host.tld_key.pem
>
> ========================
> - The key file on LDAP is unencrypted
> - Radiator SSLCaClientCert certificate contains both public and private
> key, which is protected by passphrase. The docs were not clear what exactly
> should be in this file....
> - I googled for this error and found there might be incompatibility with
> IO::Socket:SSL and net-ldap. They were both upgraded, but no change :-/.
> - Radiator is 3.9
> - OpenLDAP is 2.1.21
>
>
> What could be a problem ? How to increase error report verbosity ? How can
> I debug the problem ?
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list