<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Greetings,</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I am currently trying to migrate an existing Radiator 4.12.1 running on CentOS 6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running into an issue where Radiator 4.25 is unable to connect via LDAP to my domain controllers. The log shows (DC names
changed):</div>
<div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to DC1.domain.tld port 3269</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open LDAP connection to
<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">
DC1.domain.tld</span> port 3269. Backing off for 10 seconds.</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 124845: INFO: AuthLDAP2 Connecting to
<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">
DC2.domain.tld</span> port 3269</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 125576: ERR: AuthLDAP2 Could not open LDAP connection to
<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">
DC2.domain.tld</span> port 3269. Backing off for 10 seconds.</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 125720: INFO: AuthLDAP2 Connecting to
<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">
DC3.domain.tld</span> port 3269</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 126451: ERR: AuthLDAP2 Could not open LDAP connection to
<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">
DC3.domain.tld</span> port 3269. Backing off for 10 seconds.</span></p>
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
My new <AuthBy LDAP2> stanza (again anonymized)</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><Handler Client-Identifier=webvpn-test-servers></span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>RejectHasReason</span></p>
<p class="p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></span><br>
</p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>#AuthLog webvpn-authlog</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span># Handle test users</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span> <AuthBy LDAP2></span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span> Host DC1.domain.tld DC2.domain.tld DC3.domain.tld <br>
</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>SSLVerify none</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>include /etc/radiator/ssl.txt</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>UseSSL</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>Port 3269</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>AuthDN XXXXXXXXXXXXXXXX</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>AuthPassword XXXXXXXXX</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>CachePasswords</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span> FailureBackoffTime 10</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>#BaseDN XXXXXXXXXXXX</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>UsernameAttr sAMAccountName</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span> Debug 255</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>ServerChecksPassword</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span>#HoldServerConnection</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span> SearchFilter (&(%0=%1)(|(memberOf=XXX)) # removing
filter for privacy -- besides, we aren't getting that far</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">
</span></AuthBy></span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></Handler></span></p>
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
/etc/radiator/ssl.txt (anonymized):</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>SSLCAClientCert<span class="Apple-tab-span">
</span>/etc/ssl/certs/server.pem</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>SSLCAClientKey<span class="Apple-tab-span">
</span>/etc/ssl/private/server.key</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>SSLCAFile<span class="Apple-tab-span">
</span>/etc/ssl/certs/ca.pem</span></p>
<p class="p1" style="margin:0px;font:11px Menlo"><br>
</p>
</div>
<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Aside from the lines that have been commented out above -- I have tried modifying SSLCiphers from default mostly because
someone mentioned that they were running under a newer version of OpenSSL that protected against weak Diffie Hellman keys (to prevent LogJam attack). That didn't seem to help. I have Trace running at 5 and Debug at 255. </span></div>
<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br>
</span></div>
<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Any help would be appreciated. </span></div>
<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br>
</span></div>
<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Thanks!</span></div>
<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br>
</span></div>
<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"> -p</span></div>
<div><br>
</div>
<div id="Signature">
<div>
<div></div>
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-size:13px; font-family:Tahoma">
<div style="font-size:12px; color:rgb(18,48,84); font-family:Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<p class="MsoNormal"><span style="color:#1F497D">--<br>
</span><span style="color:rgb(31,73,125)">Pat Hirayama<br>
</span><span style="font-family:Arial,Helvetica,sans-serif; font-size:12px; color:rgb(31,73,125)">Systems Engineer | CIT / Systems Engineering | 206.667.4856 |
</span><a href="mailto:phirayam@fredhutch.org" style="font-family:Arial,Helvetica,sans-serif; font-size:12px">phirayam@fredhutch.org</a><span style="font-family:Arial,Helvetica,sans-serif; font-size:12px; color:rgb(31,73,125)"> | Fred Hutch | Cures Start Here</span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>