(RADIATOR) TLS connection to LDAP fails.

Mike McCauley mikem at open.com.au
Wed Oct 6 06:35:02 CDT 2004 

Hello Rok,

You might try testing the OpenLDAP server configuration using the suggestions 
in http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

If that is successful, please let me know and we can look further on the 
client (Radiator) side.

On Wednesday 06 October 2004 16:47, Rok Papez wrote:
> Hello!
>
> I'm trying to use OpenLDAP on some other host and I'm having problems with
> starting TLS. If I comment the UseTLS out, it works.
>
> radiator.cfg:
> -----------------
> <AuthBy LDAP2>
>         Identifier ldap_users
>         Version 3
>         Host ldap.host.tld
>         #UseSSL
>         UseTLS
>         SSLCAClientCert /.../radius.host.tld_cert.pem
>         SSLCAClientKey passphrase
>         SSLCAPath /.../cacert.pem
>         SSLVerify require
>         AuthDN xxx
>         AuthPassword xxx
>         BaseDN xxx
>         UsernameAttr xxx
>         ServerChecksPassword
>         EAPType PAP
>         NoDefault
> </AuthBy>
>
> radiator.log:
> ----------------
> Tue Oct  5 14:58:12 2004: DEBUG: Handling with Radius::AuthLDAP2:
> ldap_users Tue Oct  5 14:58:12 2004: INFO: Connecting to ldap.host.tld,
> port 389 Tue Oct  5 14:58:12 2004: DEBUG: Starting TLS
> Tue Oct  5 14:58:12 2004: ERR: StartTLS failed: Operations error
> Tue Oct  5 14:58:12 2004: ERR: Could not open LDAP connection to
> ldap.host.tld, port 389. Backing off for 600 seconds.
>
> OpenLDAP log:
> ----------------------
> Oct  5 14:57:57 ldap slapd[12506]: conn=73 fd=12 closed
> Oct  5 14:58:12 ldap slapd[12506]: conn=74 fd=12 ACCEPT from
> IP=x.x.x.x:55864 (IP=0.0.0.0:389) Oct  5 14:58:12 ldap slapd[12506]:
> conn=74 fd=12 closed
> Oct  5 14:58:20 ldap slapd[12506]: conn=75 fd=12 ACCEPT from
> IP=x.x.x.x:44673 (IP=0.0.0.0:389)
>
> OpenLDAP configuration:
> ------------------------------------
> allow bind_v2
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /.../cacert.pem
> TLSCertificateFile /.../ldap.host.tld_cert.pem
> TLSCertificateKeyFile /.../ldap.host.tld_key.pem
>
> ========================
> - The key file on LDAP is unencrypted
> - Radiator SSLCaClientCert certificate contains both public and private
> key, which is protected by passphrase. The docs were not clear what exactly
> should be in this file....
> - I googled for this error and found there might be incompatibility with
> IO::Socket:SSL and net-ldap. They were both upgraded, but no change :-/.
> - Radiator is 3.9
> - OpenLDAP is 2.1.21
>
>
> What could be a problem ? How to increase error report verbosity ? How can
> I debug the problem ?

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list