TLS/SSL to eDirectory

Seferovic Edvin edvin.seferovic at kolp.at
Fri Sep 2 05:09:38 CEST 2005


Hi,

it may sound stupid, but - does the NetWare server has TLS / SSL turned on?

Regards,

Edvin Seferovic

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
jp at joshmp.com
Sent: Freitag, 02. September 2005 04:59
To: freeradius-users at lists.freeradius.org
Subject: TLS/SSL to eDirectory

Setup:
- FreeRADIUS 1.0.4 built with edir on FreeBSD 4.11 server.
- Cisco 3005 VPN Concentrator
- LDAP database on NetWare 6.5 server

Everything works fine when not use SSL certificate and TLS.  However,
when TLS is turned on, here is what I get:

-----snip-----
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
          User-Name = "username"
          User-Password = "password"
          NAS-Port = 1028
          Service-Type = Framed-User
          Framed-Protocol = PPP
          Called-Station-Id = "10.254.1.6"
          Calling-Station-Id = "69.152.48.158"
          Tunnel-Client-Endpoint:0 = "69.152.48.158"
          NAS-IP-Address = 10.254.1.6
          NAS-Port-Type = Virtual
    Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
    modcall[authorize]: module "preprocess" returns ok for request 0
      rlm_realm: No '@' in User-Name = "stcrye", looking up realm NULL
      rlm_realm: No such realm "NULL"
    modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for stcrye
radius_xlat:  '(cn=username)'
radius_xlat:  'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 0
rlm_ldap: setting TLS CACert File to
/home/juser/trustedrootcertssl-certdns-episd1.b64
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
    modcall[authorize]: module "ldap1" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
Discarding duplicate request from client VPN:1063 - ID: 27
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 27 with timestamp 431712ab
Nothing to do.  Sleeping until we see a request.
-----snip-----

Relevent portion of radiusd.conf:

-----snip-----
ldap ldap1 {
                  server = "10.254.8.25"
                  identity = "cn=raduser,o=services"
                  password = secretrad
                  basedn = "o=services"
                  filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
                  #start_tls = no
                  start_tls = yes
                  tls_cacertfile =
/home/juser/trustedrootcertssl-certdns-episd1.b64
                  dictionary_mapping = ${raddbdir}/ldap.attrmap
                  ldap_connections_number = 5
                  password_attribute = userPassword
                  edir_account_policy_check=no
                  timeout = 20
                  timelimit = 20
                  net_timeout = 20
-----snip-----

When I un-comment start_tls = no and comment out start_tls = yes and
tls_cacertfile, everything works fine.

I don't really know where to start.  I have read the faq's, been up
and down the list and can't find a solution.

Thanks in advance.

Josh
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list