[RADIATOR] ldap + starttls fails

James jtp at nc.rr.com
Sun Feb 6 13:20:30 CST 2011


All,

I'm having some issues getting Radiator to bounce off of an LDAP
server with STARTTLS. Note that authentication works fine if I disable
both SSL and STARTTLS against my OpenDS LDAP server.

Here's the snippet of configuration used for <AuthBy LDAP2>:

<AuthBy LDAP2>
    Identifier ldapAuth
    Host server.example.com
    BaseDN  <baseDN>
    UsernameAttr    uid
    HoldServerConnection
    UseTLS
    SSLCAClientCert certificates/client.cert.pem
    SSLCAClientKey certificates/client.key.pem
    SSLCAFile certificates/ca.cert.pem
    Version 3
</AuthBy>

The client certificates (client.cert.pem and client.key.pem) were
generated by a CA I runrun, and the ca.cert.pem is actually a
self-signed certificate that I obtained by doing an "openssl s_client
-connect server.example.com:636". (the STARTTLS and SSL certificates
are identical on the LDAP server)

When I enable UseTLS connectivity fails with the following error messages:


Sun Feb  6 10:14:17 2011: DEBUG: Handling with Radius::AuthLDAP2: ldapAuth
Sun Feb  6 10:14:17 2011: INFO: Connecting to server.example.com:389
Sun Feb  6 10:14:17 2011: ERR: StartTLS failed: SSL connect attempt
failed because of handshake
problemserror:00000000:lib(0):func(0):reason(0)
Sun Feb  6 10:14:17 2011: ERR: Could not open LDAP connection to
server.example.com:389. Backing off for 600 seconds.
Sun Feb  6 10:14:17 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User
database access error


I did a bit of digging -- seems it's possible to disable certificate
checking in Net::LDAP (although clearly not recommended). I modified
the Ldap.pm file and changed the SSLVerify var from required to none;
the exact same error still occurs. This doesn't make sense to me. The
error should likely disappear if I've set "verify" to "none," no?

My goal is ultimately to change SSLCAFile to the self-signed
certificate (gleaned from an "openssl s_client -connect"). Any
thoughts on how to go about fixing this?

Thanks!


More information about the radiator mailing list