[RADIATOR] help diagnosing failure to connect to LDAP

Jennifer Mehl jennifer.mehl at ucsb.edu
Wed May 11 13:02:46 CDT 2016 

Thanks for the information.

The stdout/console logs yielded no additional information from Perl’s LDAP library, still only "ERR: Could not open LDAP connection to *redacted*:636. Backing off for 60 seconds" so I decided to look into SSL issues as the next logical step.

It turns out that the server on which we are running Radiator is using a newer version of OpenSSL that enforces against using weak DH keys (to prevent Logjam attack).  Using "openssl s_client -showcerts" to connect and show the server SSL certificates, I could see openssl reporting that the certificate on the LDAP server was using a certificate with a “too small” DH key:

140309439825560:error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small:s3_clnt.c:3615:

I resolved this by disallowing DH ciphers sent by the client in the radius config:
	SSLCiphers DEFAULT:!EXPORT:!LOW:!DH

Radiator is now able to connect (and bind) to the LDAP server over SSL.

—Jennifer




> On May 11, 2016, at 9:42 AM, Tuure Vartiainen <vartiait at open.com.au> wrote:
> 
> Hello,
> 
>> On 11 May 2016, at 01:49, Jennifer Mehl <jennifer.mehl at ucsb.edu> wrote:
>> 
>> I’m working on setting up a new RADIUS client/handler, and am having trouble diagnosing why connections from Radiator to an LDAP server are failing.
>> 
>> Using the ldapsearch command from the same system, using the same AuthDN/password yields a successful result.
>> 
>> I’m wondering if there is an error being kicked off somewhere from the LDAP or SSL Perl modules that I can’t see.  Or is there an open/broken connection to the LDAP server being cached somewhere that needs a “reset?”
>> 
>> I’ve turned on Trace 5 in radius.cfg and “Debug 255” in the AuthByLDAP2 clause, but not seeing a lot in the logs about the reason for the failure.
>> 
> 
> Perl’s LDAP library’s debug output, which is enabled with “Debug 255”,
> can only be seen on a console when running Radiator on a foreground.
> 
> E.g.
> 
> $ perl radiusd -config /etc/radiator/radius.cfg -trace 4 -log_stdout -foreground
> 
> 
> BR
> --
> Tuure Vartiainen <vartiait at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://www.open.com.au/pipermail/radiator/attachments/20160511/44f60ae4/attachment.bin

More information about the radiator mailing list