[RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers
Alexander.Hartmaier at t-systems.com
Alexander.Hartmaier at t-systems.com
Mon Jan 18 08:51:17 UTC 2021
Hi Pat,
3269 is Global Catalog over TLS, changing that to 636 will change the behaviour as you need a BaseDN and won't be able to authenticate users of trusted domains any more, so don't do that.
Instead raise the Radiator log level or do a packet capture and look at it in wireshark to see what happens, my guess is the TLS handshake.
The domain controllers might not send the whole certificate chain with all intermediate certs or you don't have the root CA in the trusted CA file /etc/ssl/certs/ca.pem.
Best regards, Alex
________________________________
Von: radiator <radiator-bounces at lists.open.com.au> im Auftrag von Patrik Forsberg <patrik.forsberg at globalconnect.se>
Gesendet: Montag, 18. Jänner 2021 08:57
An: radiator at lists.open.com.au <radiator at lists.open.com.au>
Betreff: Re: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers
Hello,
Try using port 389 for non-ssl or 636 for ssl - even if the server is DC atm.
---
Best Regards,
Patrik
From: radiator <radiator-bounces at lists.open.com.au> On Behalf Of Hirayama, Pat
Sent: den 16 januari 2021 00:56
To: radiator at lists.open.com.au
Subject: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers
Greetings,
I am currently trying to migrate an existing Radiator 4.12.1 running on CentOS 6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running into an issue where Radiator 4.25 is unable to connect via LDAP to my domain controllers. The log shows (DC names changed):
00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to DC1.domain.tld port 3269
00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open LDAP connection to DC1.domain.tld port 3269. Backing off for 10 seconds.
00000000 Fri Jan 15 15:26:35 2021 124845: INFO: AuthLDAP2 Connecting to DC2.domain.tld port 3269
00000000 Fri Jan 15 15:26:35 2021 125576: ERR: AuthLDAP2 Could not open LDAP connection to DC2.domain.tld port 3269. Backing off for 10 seconds.
00000000 Fri Jan 15 15:26:35 2021 125720: INFO: AuthLDAP2 Connecting to DC3.domain.tld port 3269
00000000 Fri Jan 15 15:26:35 2021 126451: ERR: AuthLDAP2 Could not open LDAP connection to DC3.domain.tld port 3269. Backing off for 10 seconds.
My new <AuthBy LDAP2> stanza (again anonymized)
<Handler Client-Identifier=webvpn-test-servers>
RejectHasReason
#AuthLog webvpn-authlog
# Handle test users
<AuthBy LDAP2>
Host DC1.domain.tld DC2.domain.tld DC3.domain.tld
SSLVerify none
include /etc/radiator/ssl.txt
UseSSL
Port 3269
AuthDN XXXXXXXXXXXXXXXX
AuthPassword XXXXXXXXX
CachePasswords
FailureBackoffTime 10
#BaseDN XXXXXXXXXXXX
UsernameAttr sAMAccountName
Debug 255
ServerChecksPassword
#HoldServerConnection
SearchFilter (&(%0=%1)(|(memberOf=XXX)) # removing filter for privacy -- besides, we aren't getting that far
</AuthBy>
</Handler>
/etc/radiator/ssl.txt (anonymized):
SSLCAClientCert /etc/ssl/certs/server.pem
SSLCAClientKey /etc/ssl/private/server.key
SSLCAFile /etc/ssl/certs/ca.pem
Aside from the lines that have been commented out above -- I have tried modifying SSLCiphers from default mostly because someone mentioned that they were running under a newer version of OpenSSL that protected against weak Diffie Hellman keys (to prevent LogJam attack). That didn't seem to help. I have Trace running at 5 and Debug at 255.
Any help would be appreciated.
Thanks!
-p
--
Pat Hirayama
Systems Engineer | CIT / Systems Engineering | 206.667.4856 | phirayam at fredhutch.org<mailto:phirayam at fredhutch.org> | Fred Hutch | Cures Start Here
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210118/be497229/attachment-0001.html>
More information about the radiator
mailing list