[RADIATOR] Net::LDAPS problem with Active Directory on port 636
Klara Mall
klara.mall at kit.edu
Tue Nov 12 15:29:18 CST 2013
Sorry, I told something wrong, see below...
On Tue, Nov 12, 2013 at 09:58:08PM +0100, Klara Mall wrote:
> many thanks for your reply!
>
> I modified Ldap.pm (debug output for IO::Socket::SSL).
>
> Configuration snippet:
> -----------------------------------
> <AuthBy GROUP>
> Identifier ldap123
> AuthByPolicy ContinueWhileAccept
> <AuthBy LDAP2>
> Host kit-dc-04.kit.edu
> Port 636
> Version 3
> UseSSL
> SSLCAFile %D/certificates/ca.pem
> Timeout 3
> ...
> </AuthBy>
I noticed that here I use Port 389 with STARTTLS (UseTLS) not
UseSSL. It works if I use SSL here.
I analyzed now (given two different LDAP server hosts):
a. if I use SSL in both connections it works.
b. if I use TLS in both connections it works.
c. if I use TLS in RewriteFunction and SSL in AuthBy LDAP2 it doesn't work.
d. if I use SSL in RewriteFunction and TLS in AuthBy LDAP2 it doesn't work.
c: This is what I was describing in this email (2nd authentication fails).
d: Not the 2nd authentication fails but the 1st.
RewriteFunction is ok:
DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-dc-04.kit.edu alt=2 kit-dc-04.kit.edu 2 kit-dc.kit.edu
AuthBy LDAP2 fails:
DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-ad.scc.kit.edu alt=1 f5 at scc.kit.edu
I seems that the first TLS connection after an SSL connection fails.
I have to try to reproduce this with a Perl program which does
nothing else than such two connections.
Regards
Klara
More information about the radiator
mailing list