authenticating to ldaps/tls
Hi all, I'm trying to authenticate to a LDAPS backend but failing. Any suggestions? My freeradius version: —------------------------ radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Nov 21 2008 at 07:54:33 My ldap module settings: —--------------------------- ldap people_search { server = "ldap1.stvincents.com.au" port = 636 identity = "cn=admin,o=org,c=au" password = *** filter = "(cn=%u)" basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au" tls { tls_mode = yes # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = yes cacertfile = /etc/openssl/certs/SVMHS_CA_SSL_Server.cer <note: chained CA cert> cacertdir = /etc/openssl/certs/ #certfile = /etc/openssl/certs/spud-jr.cer # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" require_cert = "allow" } -X output messages: —--------------------- [people_search] performing user authorization for pparam [people_search] expand: (cn=%u) -> (cn=pparam) [people_search] expand: ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au -> ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: setting TLS CACert File to /etc/openssl/certs/SVMHS_CA_SSL_Server.cer rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to /etc/openssl/certs/SVMHS_CA_SSL_Server.cer rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Success rlm_ldap: (re)connection attempt failed [people_search] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[people_search] returns fail Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 0 for 1 seconds Going to the next request ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents & Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. **********************************************************************
Peter Param a écrit :
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) or an LDAP server answering on LDAP connections that are then secured by Start-TLS (LDAP on port 389 + Start-TLS) ? These are 2 different options.
ldap people_search { server = "ldap1.stvincents.com.au" port = 636
==> This implies an ldaps server
identity = "cn=admin,o=org,c=au" password = *** filter = "(cn=%u)" basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au" tls { tls_mode = yes # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = yes
==> this is not compliant with and ldaps server use start_tls=no By the way, Alan and other Gurus, I think there is a small typo in the comment: # using ldaps (port 689) connections Should be # using ldaps (port 636) connections HTH, Thibault
participants (2)
-
Peter Param -
Thibault Le Meur