No appropriate error message ("rlm_ldap: could not start TLS Connect error")
Hi! I've tried to establish a TLS-secured connection between freeradius-1.0.1-3 (Red Hat Enterprise Linux 4) and a openldap server. I tried every combination of tls_mode, start_tls and tls_require_cert, but I never got more than this error: (/etc/raddb/radiusd.conf) -------------------8<---------------------------------------- ldap { server = "MYLDAPSERVER.ira.uka.de" port = 389 identity = "uid=MYUSERNAME, ou=MYUNIT, dc=ira, dc=uka, dc=de" password = MYPASSWORD basedn = "ou=MYUNIT,dc=ira,dc=uka,dc=de" filter = "(uid=MYPREFIX-%u)" start_tls = yes tls_mode = no tls_cacertdir = /etc/raddb/cacerts/ tls_require_cert = demand dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # No useful error msg w/o 0xffff ldap_debug = 0xffff } -------------------8<---------------------------------------- (/var/log/radius/radius.log) -------------------8<---------------------------------------- Error: rlm_ldap: could not start TLS Connect error Error: rlm_ldap: (re)connection attempt failed -------------------8<---------------------------------------- The problem was: (/usr/sbin/radiusd -X) -------------------8<---------------------------------------- TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet fuer Informatik/CN=MYCACERTIFICATE/emailAddress=MYCA@MYSERVER.PRI, issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet fuer Informatik/CN=MYCACERTIFICATE/emailAddress=MYCA@MYSERVER.PRI TLS certificate verification: depth: 0, err: 0, subject: /C=DE/ST=Germany/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS/CN=MYLDAPSERVER.ira.uni-karlsruhe.de/emailAddress=MYMAIL@MYSERVER.PRI, issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet fuer Informatik/CN=MYCACERTIFICATE/emailAddress=MYMAIL@MYSERVER.PRI TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in certificate (MYLDAPSERVER.ira.uni-karlsruhe.de). rlm_ldap: ldap_start_tls_s() ldap_err2string rlm_ldap: could not start TLS Connect error ldap_free_connection ldap_send_unbind ldap_free_connection: actually freed TLS trace: SSL3 alert write:warning:close notify rlm_ldap: (re)connection attempt failed rlm_ldap: search failed -------------------8<---------------------------------------- The importent one is: TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in certificate (MYLDAPSERVER.ira.uni-karlsruhe.de). MYLDAPSERVER.ira.uka.de is an alias for MYLDAPSERVER.ira.uni-karlsruhe.de (hostname used in the certificate). After I set server = MYLDAPSERVER.ira.uni-karlsruhe.de in my radiusd.conf the TLS connection worked without any problem. Maybe this mail will save someone the amount of time I had to waste, figuring it out.. :-/ _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of "rlm_ldap: could not start TLS Connect error". Linus van Geuns. PS: Every certificate of an certificate authority in <tls_cacertdir> needs to be accessable by it's openssl-hash as filename. This can be achieved as follows: In <tls_cacertdir> run: CERT=CACERTFILENAME;ln ${CERT} `openssl x509 -noout -hash -in ${CERT} `.0 -s
Linus van Geuns <vangeuns@atis.uka.de> wrote:
_And_ maybe this mail inspires some of the developers to report the appropriate error message instead of "rlm_ldap: could not start TLS Connect error".
You just volunteered to write the patch. Please mail it to the list when it's ready. Alan DeKok.
Alan DeKok wrote:
Linus van Geuns <vangeuns@atis.uka.de> wrote:
_And_ maybe this mail inspires some of the developers to report the appropriate error message instead of "rlm_ldap: could not start TLS Connect error".
You just volunteered to write the patch.
Please mail it to the list when it's ready.
I'm sorry, but I am bound to another software project atm. Linus van Geuns.
Linus van Geuns <vangeuns@atis.uka.de> wrote:
Please mail it to the list when it's ready.
I'm sorry, but I am bound to another software project atm.
That's terrible! When can we expect a fix? Alan DeKok.
Alan DeKok wrote:
Linus van Geuns <vangeuns@atis.uka.de> wrote:
Please mail it to the list when it's ready.
I'm sorry, but I am bound to another software project atm.
That's terrible!
When can we expect a fix?
I'm working on a daemon that aims to implement PXE 2.1 and to be easily configurable. As I have to learn C++, network programming and programming for Linux/*nix by creating this daemon, and as this project is nothing official or something I get payed for, it will be done when it's done. Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. Is there something else that I may learn by reading your mails, Mr. DeKok? If not, they'll be read by /dev/null.. Linus van Geuns.
I'm setting up freeradius to talk to a Ipswitch Imail server for authetication. Just needs to do the basic User Pass... Ok. LDAP Server is 192.168.77.6 (this is all private testing) (the imail server) Domain on the server is pork.com A snippet of the config. ----------------------------------------------- ldap { server = "192.168.77.6" #identity = "cn=root,o=My Org,c=UA" #password = test1234 basedn = "o=My Org,c=UA" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections ______________---------------------------------------------- I suspect that I'm having a problem with the Basedn.. On the imail server the LDAP user and pass is Root and test1234 The actual mail account that I'm trying to autorize against is test@pork.com pass test Below is a Cut form radiusd -X debug.. Anyone have any reccomendations>? modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "test@pork.com" with password "test" radius_xlat: '(uid=test@pork.com)' radius_xlat: 'o=My Org,c=UA' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.77.6:389, authentication 0 rlm_ldap: bind as / to 192.168.77.6:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=My Org,c=UA, with filter (uid=test@pork.com) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound for request 0 modcall: group Auth-Type returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 37 to 192.168.77.6:2686 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 37 with timestamp 43345c56 Nothing to do. Sleeping until we see a request.
Cris Boisvert wrote:
I'm setting up freeradius to talk to a Ipswitch Imail server for authetication.
Just needs to do the basic User Pass... Ok.
[..]
A snippet of the config. ----------------------------------------------- ldap { server = "192.168.77.6" #identity = "cn=root,o=My Org,c=UA" #password = test1234 basedn = "o=My Org,c=UA" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections ______________----------------------------------------------
[..]
Below is a Cut form radiusd -X debug..
Anyone have any reccomendations>?
modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "test@pork.com" with password "test" radius_xlat: '(uid=test@pork.com)' radius_xlat: 'o=My Org,c=UA'
Do you really have an object with attribute iud="test@pork.com"? I think you should split the username with delimiter '@', so you search for uid=test,dc=pork,dc=com (or similiar). But if you have such objects, try ldap_debug=0xffff between ldap { } in your radiusd.conf. Linus van Geuns.
Linus van Geuns <vangeuns@atis.uka.de> wrote:
Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it.
The issue was that you were asking other people to fix a problem you ran into. Where is the incentive for us to fix something you don't like?
Is there something else that I may learn by reading your mails, Mr. DeKok? If not, they'll be read by /dev/null..
Too bad it isn't a two-way pipe. Alan DeKok.
Alan DeKok wrote:
Linus van Geuns <vangeuns@atis.uka.de> wrote:
Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it.
The issue was that you were asking other people to fix a problem you ran into.
Where is the incentive for us to fix something you don't like?
1.) The developers of freeradius declared their intend to provide a radius daemon, so other people may _use_ (not develope) it. 2.) I mailed the solution to my problem so others, running into the same one, may find this mail useful. 3.) Did I claim someone _has_ to fix it, because I don't 'like' it? 4.) I think, the error message from freeradius does obviously contain no useful degub information. So what?
Linus van Geuns <vangeuns@atis.uka.de> wrote:
3.) Did I claim someone _has_ to fix it, because I don't 'like' it?
Pretty much, yes. And you then got upset when I said you could fix it.
4.) I think, the error message from freeradius does obviously contain no useful degub information.
<laughs> Sure. Have you ever tried using a *commercial* server? They have *no* useful debugging or error messages. Alan DeKok.
Alan DeKok wrote:
Linus van Geuns <vangeuns@atis.uka.de> wrote:
3.) Did I claim someone _has_ to fix it, because I don't 'like' it?
Pretty much, yes. And you then got upset when I said you could fix it.
Hm, AFAIR... ah, maybe I got upset by this one: -------8<--------------------------------------
_And_ maybe this mail inspires some of the developers to report the appropriate error message instead of "rlm_ldap: could not start TLS Connect error".
You just volunteered to write the patch. Please mail it to the list when it's ready.
I'm sorry, but I am bound to another software project atm.
That's terrible! When can we expect a fix?
Alan DeKok. -------8<--------------------------------------
4.) I think, the error message from freeradius does obviously contain no useful degub information.
<laughs> Sure. Have you ever tried using a *commercial* server? They have *no* useful debugging or error messages.
Ah! There is no need to care about it, because others don't care about appropriate error messages. I think, that's all I need to know by now. Linus van Geuns.
participants (3)
-
Alan DeKok -
Cris Boisvert -
Linus van Geuns