
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Greetings,</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

I am currently trying to migrate an existing Radiator 4.12.1 running on CentOS 6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running into an issue where Radiator 4.25 is unable to connect via LDAP to my domain controllers.  The log shows (DC names

 changed):</div>

<div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to DC1.domain.tld port 3269</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open LDAP connection to

<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">

DC1.domain.tld</span> port 3269. Backing off for 10 seconds.</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 124845: INFO: AuthLDAP2 Connecting to

<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">

DC2.domain.tld</span> port 3269</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 125576: ERR: AuthLDAP2 Could not open LDAP connection to

<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">

DC2.domain.tld</span> port 3269. Backing off for 10 seconds.</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 125720: INFO: AuthLDAP2 Connecting to

<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">

DC3.domain.tld</span> port 3269</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures">00000000 Fri Jan 15 15:26:35 2021 126451: ERR: AuthLDAP2 Could not open LDAP connection to

<span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255, 255, 255);display:inline !important">

DC3.domain.tld</span> port 3269. Backing off for 10 seconds.</span></p>

<br>

</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

My new <AuthBy LDAP2> stanza (again anonymized)</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><Handler Client-Identifier=webvpn-test-servers></span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">       

</span>RejectHasReason</span></p>

<p class="p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></span><br>

</p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">       

</span>#AuthLog webvpn-authlog</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">       

</span># Handle test users</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span>        <AuthBy LDAP2></span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>                Host DC1.domain.tld DC2.domain.tld DC3.domain.tld <br>

</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>SSLVerify none</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>include /etc/radiator/ssl.txt</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>UseSSL</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>Port 3269</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>AuthDN XXXXXXXXXXXXXXXX</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>AuthPassword XXXXXXXXX</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>CachePasswords</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>                FailureBackoffTime 10</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>#BaseDN XXXXXXXXXXXX</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>UsernameAttr sAMAccountName</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>                Debug 255</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>ServerChecksPassword</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">               

</span>#HoldServerConnection</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>                SearchFilter (&(%0=%1)(|(memberOf=XXX))  # removing

 filter for privacy -- besides, we aren't getting that far</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-converted-space">        

</span></AuthBy></span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"></Handler></span></p>

<br>

</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

/etc/radiator/ssl.txt (anonymized):</div>

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>SSLCAClientCert<span class="Apple-tab-span">

</span>/etc/ssl/certs/server.pem</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>SSLCAClientKey<span class="Apple-tab-span">

</span>/etc/ssl/private/server.key</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><span class="s1" style="font-variant-ligatures:no-common-ligatures"><span class="Apple-tab-span"></span><span class="Apple-tab-span"></span>SSLCAFile<span class="Apple-tab-span">

</span>/etc/ssl/certs/ca.pem</span></p>

<p class="p1" style="margin:0px;font:11px Menlo"><br>

</p>

</div>

<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Aside from the lines that have been commented out above -- I have tried modifying SSLCiphers from default mostly because

 someone mentioned that they were running under a newer version of OpenSSL that protected against weak Diffie Hellman keys (to prevent LogJam attack).  That didn't seem to help.  I have Trace running at 5 and Debug at 255.  </span></div>

<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br>

</span></div>

<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Any help would be appreciated.  </span></div>

<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br>

</span></div>

<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Thanks!</span></div>

<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br>

</span></div>

<div><span style="font-family: calibri, helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">                   -p</span></div>

<div><br>

</div>

<div id="Signature">

<div>

<div></div>

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-family:Tahoma; font-size:13px">

<div style="font-size:13px; font-family:Tahoma">

<div style="font-size:12px; color:rgb(18,48,84); font-family:Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">

<p class="MsoNormal"><span style="color:#1F497D">--<br>

</span><span style="color:rgb(31,73,125)">Pat Hirayama<br>

</span><span style="font-family:Arial,Helvetica,sans-serif; font-size:12px; color:rgb(31,73,125)">Systems Engineer | CIT / Systems Engineering | 206.667.4856 |

</span><a href="mailto:phirayam@fredhutch.org" style="font-family:Arial,Helvetica,sans-serif; font-size:12px">phirayam@fredhutch.org</a><span style="font-family:Arial,Helvetica,sans-serif; font-size:12px; color:rgb(31,73,125)"> | Fred Hutch | Cures Start Here</span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>