[RADIATOR] Net::LDAPS problem with Active Directory on port 636

Mon Nov 11 16:12:46 CST 2013

Addendum:

On 11/11/2013 10:58 PM, Klara Mall wrote:
> I have a problem with connecting to our Active Directory servers (LDAP)
> on port 636 with radiator. Port 3269 is working but I have to use 636
> for a certain reason.
> 
> The mad thing is: I cannot reproduce the problem with a little Perl
> program on the same host.
> 
> System:
> radiator 4.11, Debian wheezy, i386 (all Perl modules from Debian)

Forgot to say: no IPv6 address is configured, only IPv4.

> Relevant radiator configuration:
> -------------------
> Host            ad.example.com
> Port            636
> Version         3
> UseSSL
> SSLCAFile %D/certificates/ca.pem
> Timeout         3
> -------------------

Forgot to say: I use AuthBy LDAP2.

> With this configuration the connection fails about half of the time (not
> always) with:
> "ERR: Could not open LDAP connection to ad.example.com:636. Backing off
> for 600 seconds."
> 
> I had a look at Ldap.pm from the radiator code and wrote this little
> Perl program:
> -------------------
> require Net::LDAPS;
> 
> my $host = "ad.example.com";
> 
> my $ldap = new Net::LDAPS($host,
>                          port => 636,
>                          verify => 'require',
>                          localaddr => '',
>                          multihomed => 1,
>                          version => 3,
>                          inet6 => 0,
>                          timeout => 3,
>                          cafile =>
> '/etc/radiator/certificates/deutsche-ca.pem');

This is a typo: it is the same file as above.

> if (!$ldap) { print "error\n";  exit; }
> else { print "success\n"; exit; }
> 
> -------------------
> 
> I run this program in a while loop several times and the connection
> never fails.
> 
> I also removed the patch by Raphael Luta (in Ldap.pm) which permits
> multiple hostnames. But it made no difference.
> 
> I wasn't able to find the difference between the radiator code and my
> code. Can you help me?
> 
> Best regards
> Klara
> 

-- 
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Klara Mall
Netze und Telekommunikation (NET)
Hermann-von-Helmholtz-Platz 1
76344 Eggenstein-Leopoldshafen
Telefon: +49 721 608-28630
Telefon: +49 721 608-48946
E-Mail: klara.mall at kit.edu
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft