[RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers
Heikki Vatiainen
hvn at open.com.au
Thu Jan 21 13:28:32 UTC 2021
On 20.1.2021 20.49, Hirayama, Pat wrote:
> Thank you for taking a look. The TLS setting is certainly suggestive --
> and would explain why it works fine on CentOS 6 and not on Ubuntu 20. I
> actually got it working with Radiator 4.12 on CentOS 8 -- which is why
> the increased security stance on Ubuntu 20 looks like a promising avenue
> to investigate. Unfortunately, none of the suggestions at those links
> has gotten it working yet.
Here's what I found out: when I set up an LDAP listener with only TLSv1
enabled, a connection attempt from Radiator on Ubuntu 20.04 fails
similar to what you saw.
Enabling TLS debug for Net::LDAP required loading TLS socket support
with debug enabled in Radiator configuration. To do this, add the
following somewhere near Radiator's configuration file:
StartupHook sub { use IO::Socket::SSL qw(debug3); }
I then started Radiator's radiusd directly from command line so that it
stays on the foreground. This also allows LDAP and TLS socket debugging
to be logged on the terminal too.
% /opt/radiator/radiator/radiusd -trace 4 -foreground -log_stdout
-log_dir . -db_dir . -config ldap.cfg
Below is a snippet from terminal log. The first and the last line are
Radiator's logging. The log in between comes from the TLS socket module
IO::Socket::SSL. The log shows that TLS handshake starts but doesn't
succeed because of TLS version problem.
Test was done with Radiator on Ubuntu 20.04. SECLEVEL extra parameter
was not set.
If this is set in Radiator's configuration: 'SSLCiphers
DEFAULT at SECLEVEL=1', then TLS handshake succeeds and LDAP can start.
The remote end is RHEL 7 with TLS listener forced to TLSv1.0 only. In
your case it may also be something else than TLS version, but the debug
should show how far it gets. Please let us know how it goes.
00000000 Thu Jan 21 13:15:29 2021 621281: INFO: AuthLDAP2 Connecting to
172.16.172.49 port 636
DEBUG: .../IO/Socket/SSL.pm:3010: new ctx 94622568855936
DEBUG: .../IO/Socket/SSL.pm:762: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:764: socket connected
DEBUG: .../IO/Socket/SSL.pm:787: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:832: not using SNI because hostname is unknown
DEBUG: .../IO/Socket/SSL.pm:864: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:880: set socket to non-blocking to enforce
timeout=10
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:917: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:937: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:900: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:900: local error: SSL connect attempt failed
error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
DEBUG: .../IO/Socket/SSL.pm:903: fatal SSL error: SSL connect attempt
failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported
protocol
DEBUG: ...5.30/IO/Socket.pm:48: ignoring less severe local error
'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed
error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol'
DEBUG: .../IO/Socket/SSL.pm:3059: free ctx 94622568855936
open=94622568855936
DEBUG: .../IO/Socket/SSL.pm:3063: free ctx 94622568855936 callback
DEBUG: .../IO/Socket/SSL.pm:3070: OK free ctx 94622568855936
00000000 Thu Jan 21 13:15:29 2021 656392: ERR: AuthLDAP2 Could not open
LDAP connection to 172.16.172.49 port 636. Backing off for 600 seconds.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list