[RADIATOR] Net::LDAPS problem with Active Directory on port 636
Heikki Vatiainen
hvn at open.com.au
Mon Nov 11 17:23:53 CST 2013
On 11/11/2013 11:58 PM, Klara Mall wrote:
> With this configuration the connection fails about half of the time (not
> always) with:
> "ERR: Could not open LDAP connection to ad.example.com:636. Backing off
> for 600 seconds."
>
> I had a look at Ldap.pm from the radiator code and wrote this little
> Perl program:
> -------------------
Hello Klara,
If you add the 'use ...' before require and then run the script, do you
get debug output from IO::Socket::SSL? I have not tried this myself, but
my understanding is IO::Socket::SSL is what Net::LDAP uses for LDAPS.
If you do get debug output, you could try modifying Ldap.pm a bit more
and make it load IO::Socket::SSL with debug enabled.
When you then run radiusd with -foreground and -log_stdout options, you
should see the debug output when LDAPS connections are created.
Maybe this debug would show what goes wrong.
use IO::Socket::SSL qw(debug3);
> require Net::LDAPS;
>
> my $host = "ad.example.com";
>
> my $ldap = new Net::LDAPS($host,
> port => 636,
> verify => 'require',
> localaddr => '',
> multihomed => 1,
> version => 3,
> inet6 => 0,
> timeout => 3,
> cafile =>
> '/etc/radiator/certificates/deutsche-ca.pem');
> if (!$ldap) { print "error\n"; exit; }
> else { print "success\n"; exit; }
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list