[RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers

Alexander.Hartmaier at t-systems.com Alexander.Hartmaier at t-systems.com
Mon Jan 18 08:51:17 UTC 2021


Hi Pat,
3269 is Global Catalog over TLS, changing that to 636 will change the behaviour as you need a BaseDN and won't be able to authenticate users of trusted domains any more, so don't do that.
Instead raise the Radiator log level or do a packet capture and look at it in wireshark to see what happens, my guess is the TLS handshake.

The domain controllers might not send the whole certificate chain with all intermediate certs or you don't have the root CA in the trusted CA file /etc/ssl/certs/ca.pem.

Best regards, Alex

________________________________
Von: radiator <radiator-bounces at lists.open.com.au> im Auftrag von Patrik Forsberg <patrik.forsberg at globalconnect.se>
Gesendet: Montag, 18. Jänner 2021 08:57
An: radiator at lists.open.com.au <radiator at lists.open.com.au>
Betreff: Re: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers


Hello,



Try using port 389 for non-ssl or 636 for ssl - even if the server is DC atm.



---

Best Regards,

Patrik



From: radiator <radiator-bounces at lists.open.com.au> On Behalf Of Hirayama, Pat
Sent: den 16 januari 2021 00:56
To: radiator at lists.open.com.au
Subject: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers



Greetings,



I am currently trying to migrate an existing Radiator 4.12.1 running on CentOS 6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running into an issue where Radiator 4.25 is unable to connect via LDAP to my domain controllers.  The log shows (DC names changed):



00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to DC1.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open LDAP connection to DC1.domain.tld port 3269. Backing off for 10 seconds.

00000000 Fri Jan 15 15:26:35 2021 124845: INFO: AuthLDAP2 Connecting to DC2.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 125576: ERR: AuthLDAP2 Could not open LDAP connection to DC2.domain.tld port 3269. Backing off for 10 seconds.

00000000 Fri Jan 15 15:26:35 2021 125720: INFO: AuthLDAP2 Connecting to DC3.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 126451: ERR: AuthLDAP2 Could not open LDAP connection to DC3.domain.tld port 3269. Backing off for 10 seconds.



My new <AuthBy LDAP2> stanza (again anonymized)



<Handler Client-Identifier=webvpn-test-servers>

        RejectHasReason



        #AuthLog webvpn-authlog

        # Handle test users

        <AuthBy LDAP2>

                Host DC1.domain.tld DC2.domain.tld DC3.domain.tld


                SSLVerify none

                include /etc/radiator/ssl.txt

                UseSSL

                Port 3269

                AuthDN XXXXXXXXXXXXXXXX

                AuthPassword XXXXXXXXX

                CachePasswords

                FailureBackoffTime 10

                #BaseDN XXXXXXXXXXXX

                UsernameAttr sAMAccountName

                Debug 255

                ServerChecksPassword

                #HoldServerConnection

                SearchFilter (&(%0=%1)(|(memberOf=XXX))  # removing filter for privacy -- besides, we aren't getting that far

         </AuthBy>

</Handler>



/etc/radiator/ssl.txt (anonymized):

SSLCAClientCert /etc/ssl/certs/server.pem

SSLCAClientKey /etc/ssl/private/server.key

SSLCAFile /etc/ssl/certs/ca.pem



Aside from the lines that have been commented out above -- I have tried modifying SSLCiphers from default mostly because someone mentioned that they were running under a newer version of OpenSSL that protected against weak Diffie Hellman keys (to prevent LogJam attack).  That didn't seem to help.  I have Trace running at 5 and Debug at 255.



Any help would be appreciated.



Thanks!



                   -p



--
Pat Hirayama
Systems Engineer | CIT / Systems Engineering | 206.667.4856 | phirayam at fredhutch.org<mailto:phirayam at fredhutch.org> | Fred Hutch | Cures Start Here
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210118/be497229/attachment-0001.html>


More information about the radiator mailing list