[RADIATOR] ldap + starttls fails

Heikki Vatiainen hvn at open.com.au
Mon Feb 7 14:54:53 CST 2011 

On 02/06/2011 09:20 PM, James wrote:

> I'm having some issues getting Radiator to bounce off of an LDAP
> server with STARTTLS. Note that authentication works fine if I disable
> both SSL and STARTTLS against my OpenDS LDAP server.

The config below does client-authentiated TLS handshake. That is, both
the client and server exchange certificates. If you only want to verify
the server certificate, remove SSLCAClientKey and SSLCAClientCert from
your config.

A common configuration is for the client to verify server certificate
against CA certificate in SSLCAFile and then authenticate to the LDAP
server with AuthDN and AuthPassword.

Please note that the SSLCA* settings are only for brining up the TLS/SSL
connection. They have nothing to do with authenticating Radiator to the
LDAP server.

> Here's the snippet of configuration used for <AuthBy LDAP2>:
> 
> <AuthBy LDAP2>
>     Identifier ldapAuth
>     Host server.example.com
>     BaseDN  <baseDN>
>     UsernameAttr    uid
>     HoldServerConnection
>     UseTLS
>     SSLCAClientCert certificates/client.cert.pem
>     SSLCAClientKey certificates/client.key.pem

Remove these two lines above, unless you really want to do
client-authenticated TLS handshake.

>     SSLCAFile certificates/ca.cert.pem
>     Version 3
> </AuthBy>
> 
> The client certificates (client.cert.pem and client.key.pem) were
> generated by a CA I runrun, and the ca.cert.pem is actually a
> self-signed certificate that I obtained by doing an "openssl s_client
> -connect server.example.com:636". (the STARTTLS and SSL certificates
> are identical on the LDAP server)
> 
> When I enable UseTLS connectivity fails with the following error messages:
> 
> 
> Sun Feb  6 10:14:17 2011: DEBUG: Handling with Radius::AuthLDAP2: ldapAuth
> Sun Feb  6 10:14:17 2011: INFO: Connecting to server.example.com:389
> Sun Feb  6 10:14:17 2011: ERR: StartTLS failed: SSL connect attempt
> failed because of handshake
> problemserror:00000000:lib(0):func(0):reason(0)
> Sun Feb  6 10:14:17 2011: ERR: Could not open LDAP connection to
> server.example.com:389. Backing off for 600 seconds.
> Sun Feb  6 10:14:17 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User
> database access error
> 
> 
> I did a bit of digging -- seems it's possible to disable certificate
> checking in Net::LDAP (although clearly not recommended). I modified
> the Ldap.pm file and changed the SSLVerify var from required to none;
> the exact same error still occurs. This doesn't make sense to me. The
> error should likely disappear if I've set "verify" to "none," no?
> 
> My goal is ultimately to change SSLCAFile to the self-signed
> certificate (gleaned from an "openssl s_client -connect"). Any
> thoughts on how to go about fixing this?
> 
> Thanks!
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list