[RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers

Hirayama, Pat phirayam at fredhutch.org
Wed Jan 20 18:49:35 UTC 2021


Hi Heikki,

Thank you for taking a look.  The TLS setting is certainly suggestive -- and would explain why it works fine on CentOS 6 and not on Ubuntu 20.  I actually got it working with Radiator 4.12 on CentOS 8 -- which is why the increased security stance on Ubuntu 20 looks like a promising avenue to investigate.  Unfortunately, none of the suggestions at those links has gotten it working yet.

Thanks,

                     -p


--
Pat Hirayama
Systems Engineer | CIT / Systems Engineering | 206.667.4856 | phirayam at fredhutch.org<mailto:phirayam at fredhutch.org> | Fred Hutch | Cures Start Here

________________________________
From: radiator <radiator-bounces at lists.open.com.au> on behalf of Heikki Vatiainen <hvn at open.com.au>
Sent: Monday, January 18, 2021 05:07
To: radiator at lists.open.com.au <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers

On 16.1.2021 1.55, Hirayama, Pat wrote:

> I am currently trying to migrate an existing Radiator 4.12.1 running on
> CentOS 6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running
> into an issue where Radiator 4.25 is unable to connect via LDAP to my
> domain controllers.  The log shows (DC names changed):
>
> 00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to
> DC1.domain.tld port 3269
>
> 00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open
> LDAP connection to DC1.domain.tld port 3269. Backing off for 10 seconds.

Ubuntu 20.04 uses OpenSSL with settings that may require additional
configuration on Radiator side. See this for more:

https://urldefense.proofpoint.com/v2/url?u=https-3A__askubuntu.com_questions_1233186_ubuntu-2D20-2D04-2Dhow-2Dto-2Dset-2Dlower-2D&d=DwIF-g&c=eRAMFD45gAfqt84VtBcfhQ&r=lnQBMkNb1mBsioi6aP6ts4Sw0Ua5nVh4esYOAh4qTKU&m=P_PsEJGy2OCSSv-o70ULtptuzjtI3l6Ht4An17GQMBE&s=5VsLLOH8aeHHuiZZstOY6dhd-ktmCVCVFitwf_uMapA&e=
ssl-security-level

I'll take a look at this in detail too, but you can see if something
like this within AuthBY LDAP2 would help:

SSLCiphers DEFAULT at SECLEVEL=1

For more about Radiator parameters, see
https://urldefense.proofpoint.com/v2/url?u=https-3A__files.radiatorsoftware.com_radiator_ref.pdf&d=DwIF-g&c=eRAMFD45gAfqt84VtBcfhQ&r=lnQBMkNb1mBsioi6aP6ts4Sw0Ua5nVh4esYOAh4qTKU&m=P_PsEJGy2OCSSv-o70ULtptuzjtI3l6Ht4An17GQMBE&s=lw3CUKx7Xoxb94A6tWY5T_YUIMGxfITjRs9HU1XhMjo&e=

SSLCiphers is described in 3.9.17 in Radiator 4.25 manual.

What you could also check is that what are the TLS versions and ciphers
the server supports. It can be that what the server uses is not
considered good enough on the client side.

Thanks,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.open.com.au_mailman_listinfo_radiator&d=DwIF-g&c=eRAMFD45gAfqt84VtBcfhQ&r=lnQBMkNb1mBsioi6aP6ts4Sw0Ua5nVh4esYOAh4qTKU&m=P_PsEJGy2OCSSv-o70ULtptuzjtI3l6Ht4An17GQMBE&s=MXgO7q6X-wzG5qE1aOlgKTX2xXg0q0PyIo5wqDvtweI&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210120/4cd9fce9/attachment.html>


More information about the radiator mailing list