[RADIATOR] Net::LDAPS problem with Active Directory on port 636
Klara Mall
klara.mall at kit.edu
Tue Nov 12 14:58:08 CST 2013
Hi Heikki,
many thanks for your reply!
I modified Ldap.pm (debug output for IO::Socket::SSL).
Configuration snippet:
-----------------------------------
<AuthBy GROUP>
Identifier ldap123
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
Host kit-dc-04.kit.edu
Port 636
Version 3
UseSSL
SSLCAFile %D/certificates/ca.pem
Timeout 3
...
</AuthBy>
<AuthBy ...>
....
</AuthBy>
</AuthBy>
<Handler ...>
RewriteFunction file:"%D/hooks/email2sam.pl"
AuthBy ldap123
...
</Handler>
-----------------------------------
file:"%D/hooks/email2sam.pl":
In this RewriteFunction I need an LDAPS connection, too. If it's not the same
host the second authentication with this handler (after restart of radiator)
will fail.
email2sam.pl:
------------------------------
sub
{
my $host = "kit-ad.scc.kit.edu";
require Net::LDAPS;
my $ldap = Net::LDAPS->new(
$host,
port => 636,
timeout => 3,
verify => 'require',
cafile => '/etc/radiator/certificates/ca.pem')
or return $user;
...
my $user_new = ...
return $user_new;
}
------------------------------
In the IO::Socket:SSL debug log you see the two connections. The
first is the RewriteFunction's one and the second the AuthBy's one.
* 1st authentication with this handler:
a.) RewriteFunction email2sam
[...]
DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-ad.scc.kit.edu cn=kit-ad.scc.kit.edu alt=1 f5 at scc.kit.edu
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:501: ssl handshake done
b.) AuthBy LDAP2
[...]
DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-dc-04.kit.edu alt=2 kit-dc-04.kit.edu 2 kit-dc.kit.edu
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:501: ssl handshake done
=> Everything ok.
* 2nd authentication with this handler:
a.) RewriteFunction email2sam
[...]
DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-ad.scc.kit.edu alt=1 f5 at scc.kit.edu
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1328: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:452: fatal SSL error: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1328: IO::Socket::IP configuration failed error:00000000:lib(0):func(0):reason(0)
b.) AuthBy LDAP2
[...]
DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-dc-04.kit.edu alt=2 kit-dc-04.kit.edu 2 kit-dc.kit.edu
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:501: ssl handshake done
=> RewriteFunction's LDAP connection failed because of wrong identity.
It seems that the identity is cached from the AuthBy LDAP2 before. I'm
even not sure what this identity in an SSL connection means. So I'd
be happy if someone has an idea how this can be fixed.
Best Regards
Klara
On Tue, Nov 12, 2013 at 12:23:53AM +0100, Heikki Vatiainen wrote:
> On 11/11/2013 11:58 PM, Klara Mall wrote:
>
> > With this configuration the connection fails about half of the time (not
> > always) with:
> > "ERR: Could not open LDAP connection to ad.example.com:636. Backing off
> > for 600 seconds."
> >
> > I had a look at Ldap.pm from the radiator code and wrote this little
> > Perl program:
> > -------------------
>
> Hello Klara,
>
> If you add the 'use ...' before require and then run the script, do you
> get debug output from IO::Socket::SSL? I have not tried this myself, but
> my understanding is IO::Socket::SSL is what Net::LDAP uses for LDAPS.
>
> If you do get debug output, you could try modifying Ldap.pm a bit more
> and make it load IO::Socket::SSL with debug enabled.
>
> When you then run radiusd with -foreground and -log_stdout options, you
> should see the debug output when LDAPS connections are created.
>
> Maybe this debug would show what goes wrong.
>
> use IO::Socket::SSL qw(debug3);
>
> > require Net::LDAPS;
> >
> > my $host = "ad.example.com";
> >
> > my $ldap = new Net::LDAPS($host,
> > port => 636,
> > verify => 'require',
> > localaddr => '',
> > multihomed => 1,
> > version => 3,
> > inet6 => 0,
> > timeout => 3,
> > cafile =>
> > '/etc/radiator/certificates/deutsche-ca.pem');
> > if (!$ldap) { print "error\n"; exit; }
> > else { print "success\n"; exit; }
>
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list