[RADIATOR] LDAPS connection problem

Alexander Hartmaier alexander.hartmaier at t-systems.at
Thu Oct 18 10:33:48 CDT 2012 

We're having problems with a ldaps connection to two windows domain
controllers.
An ldapsearch on the cli works every time, the radiator connection only
sometimes.

I've upgraded the radiator servers from 4.8 to 4.10 with current patches
in hope of a fix but it still shows the same behaviour:

Sometimes it works:
Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server
10.1.2.1 10.1.2.2:636

Sometimes it doesn't:
Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to
10.1.2.1 10.1.2.2:636. Backing off for 5 seconds.

BTW the debug output is really puzzling when you configure more than one
server/ip-address and should be changed to only show the server/ip
that's used to try the connection!

That's our config:

<AuthBy LDAP2>
        # Save time by never looking for a default
        NoDefault

        Host 10.1.2.1 10.1.2.2
        Port 636
        Version 3

        # request timeout in seconds
        Timeout 3

        # don't try to reach the ldap for this amount of seconds after
failure
        FailureBackoffTime 5

        # persistent connection doesn't work with M$ AD
        # HoldServerConnection
        UnbindAfterServerChecksPassword

        ## Enable SSL
        UseSSL
        ## Enable TLS
        # UseTLS
        ## Name of the client certificate file:
        SSLCAClientCert %D/certificates/radius.fqdn.pem
        ## Name of the file containing the client private key
        SSLCAClientKey %D/certificates/radius.fqdn.key
        SSLCAFile %D/certificates/ad.pem
        ## Require ldap server certificate
        #SSLVerify require

        # LDAP access
        AuthDN CN=foo,OU=bar,DC=fqdn,DC=at
        AuthPassword foo

        # Start looking here
        BaseDN OU=bar,DC=fqdn,DC=at

        # base, single, subtree
        Scope subtree

        UsernameAttr samaccountname
        # don't check the password, just for phone number lookup
        PasswordAttr

        # store the users mobile phone number in the Callback-Number
radius attribute
        AuthAttrDef mobile,Callback-Number,request
    </AuthBy>

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

More information about the radiator mailing list