19 Jan
2018
19 Jan
'18
11:15 a.m.
I should clarify, the LDAP request doesn’t relate directly to the type of TLS, just asking. They can see the call on their system, and see that it gives a non-informative error. > On Jan 19, 2018, at 9:55 AM, Douglas C Ward <douglas@ugutech.com> wrote: > > Talking to an engineer at OneLogin, their VLDAP server only supports TLS1.1, what TLS version does FreeRADIUS 3.0.15 use by default, and can I force it to use 1.1? > > —Douglas > >> On Jan 18, 2018, at 11:33 PM, Douglas C Ward <douglas@ugutech.com <mailto:douglas@ugutech.com>> wrote: >> >> Answers below... >> >>> On Jan 18, 2018, at 9:20 PM, Nathan Ward <lists+freeradius@daork.net> wrote: >>> >>>> >>>> On 19/01/2018, at 3:37 PM, Douglas C Ward <douglas@ugutech.com> wrote: >>>> >>>> Thanks Alan, good stuff. That user is the main admin user for the whole OneLogin account, so I assume that it has the authority to query the LDAP. I’m following the instructions at >>>> >>>> https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn <https://support.onelogin.com/hc/en-us/articles/206444116-Using-the-OneLogin-Virtual-LDAP-Service#virtualdn> >>>> >>>> where it specifies… >>>> Host name ldap.us.onelogin.com >>>> Port >>>> 389: Use for ldap://. For example, if you are not using SSL, use this port number. This port is primarily provided for your convenience for testing and debugging purposes. >>>> 636: Use for ldaps://. For example, if you are using SSL, use this port number. We recommend that you use this port for your production implementation. >>>> Base DN dc=<subdomain>,dc=onelogin,dc=com >>>> User's Virtual DN cn=<email>,ou=users,dc=<subdomain>,dc=onelogin,dc=com >>>> User's Password >>>> Password value. >>> >>> I notice that you’re using 389 which is non-encrypted - once you get that working, probably a good idea to try ldaps if it’s over the Internet - first though, get 389 working before adding in that complexity.. >> >> With the LDAP Admin Tool, it works with port 636 doing SSL/TLS too. I will be making the production connection use that, as soon as I get the non SSL/TLS 389 to work. >>> >>>> And I’ve been very careful to put those in correctly. I’ve also used the admin credentials with ldapsoft.com <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/><http://ldapsoft.com/ <http://ldapsoft.com/>>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>> <http://ldapsoft.com/ <http://ldapsoft.com/> <http://ldapsoft.com/ <http://ldapsoft.com/>>>> ’s LDAP Admin Tool, and my credentials test correctly, and I get a full list of users in the table view. I’m not sure what else to try here. >>> >>> Can you try your manual client with the same filter? (uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com><mailto:uid=dward@iacollaborative.com <mailto:uid=dward@iacollaborative.com>>>>)? >>> >>> They seem to want to use cn=username@domain rather than uid=username@domain. The uid attribute appears to be the same as uidNumber when I had a look at the OneLogin docs. I don’t know that that’s causing your problem - but it probably doesn’t help. >> >> I tried with substituting uid= for cn= in LDAP Admin Tool, and it doesn’t like like it, saying the credentials are invalid. >>> >>> If you can get the search to work with cn=, and uid= doesn’t work in your client, you want to update the “filter” parameter under “user” in mods-available/ldap. >> >> and I tried changing the uid= for cn= in the filter section of the mods-available/ldap file, no dice. >> >> On the OneLogin server, it shows a successful VLDAP login for the admin user admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com> <mailto:admin@iacollaborative.com <mailto:admin@iacollaborative.com>>> every attempt, but nothing for the dward@ user. >> >>> It’s kinda odd to use cn there, but, whatever! >>> >>>> Just curious, what would the error message say if I was on 3.0.16? >>> >>> >>> If chase_referrals is on, the error is "Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.” >> >> Thank you, good to know. >> >> —Douglas >>> >>> -- >>> Nathan Ward >>> >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>>> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>