[RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers

Patrik Forsberg patrik.forsberg at globalconnect.se
Mon Jan 18 07:57:12 UTC 2021 

Hello,

Try using port 389 for non-ssl or 636 for ssl - even if the server is DC atm.

---
Best Regards,
Patrik

From: radiator <radiator-bounces at lists.open.com.au> On Behalf Of Hirayama, Pat
Sent: den 16 januari 2021 00:56
To: radiator at lists.open.com.au
Subject: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers

Greetings,

I am currently trying to migrate an existing Radiator 4.12.1 running on CentOS 6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running into an issue where Radiator 4.25 is unable to connect via LDAP to my domain controllers.  The log shows (DC names changed):


00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to DC1.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open LDAP connection to DC1.domain.tld port 3269. Backing off for 10 seconds.

00000000 Fri Jan 15 15:26:35 2021 124845: INFO: AuthLDAP2 Connecting to DC2.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 125576: ERR: AuthLDAP2 Could not open LDAP connection to DC2.domain.tld port 3269. Backing off for 10 seconds.

00000000 Fri Jan 15 15:26:35 2021 125720: INFO: AuthLDAP2 Connecting to DC3.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 126451: ERR: AuthLDAP2 Could not open LDAP connection to DC3.domain.tld port 3269. Backing off for 10 seconds.

My new <AuthBy LDAP2> stanza (again anonymized)


<Handler Client-Identifier=webvpn-test-servers>

        RejectHasReason



        #AuthLog webvpn-authlog

        # Handle test users

        <AuthBy LDAP2>

                Host DC1.domain.tld DC2.domain.tld DC3.domain.tld


                SSLVerify none

                include /etc/radiator/ssl.txt

                UseSSL

                Port 3269

                AuthDN XXXXXXXXXXXXXXXX

                AuthPassword XXXXXXXXX

                CachePasswords

                FailureBackoffTime 10

                #BaseDN XXXXXXXXXXXX

                UsernameAttr sAMAccountName

                Debug 255

                ServerChecksPassword

                #HoldServerConnection

                SearchFilter (&(%0=%1)(|(memberOf=XXX))  # removing filter for privacy -- besides, we aren't getting that far

         </AuthBy>

</Handler>

/etc/radiator/ssl.txt (anonymized):

SSLCAClientCert /etc/ssl/certs/server.pem

SSLCAClientKey /etc/ssl/private/server.key

SSLCAFile /etc/ssl/certs/ca.pem


Aside from the lines that have been commented out above -- I have tried modifying SSLCiphers from default mostly because someone mentioned that they were running under a newer version of OpenSSL that protected against weak Diffie Hellman keys (to prevent LogJam attack).  That didn't seem to help.  I have Trace running at 5 and Debug at 255.


Any help would be appreciated.


Thanks!


                   -p

--
Pat Hirayama
Systems Engineer | CIT / Systems Engineering | 206.667.4856 | phirayam at fredhutch.org<mailto:phirayam at fredhutch.org> | Fred Hutch | Cures Start Here
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210118/6bac48b6/attachment-0001.html>

More information about the radiator mailing list