Hello, we are using freeradius 2.0.1 on SLES 10. Our users are authorized and authenticated via ldap against a Novell eDirectory. When i look at a trace on the eDirectory, i see a lot of attributes, the Freeradius-Server wants to get from the directory. But we don't have any of these attributes in the directory, and we don't need them. So, i tried to comment out the line #dictionary_mapping = ${confdir}/ldap.attrmap in the radiusd.conf, but the server still wants to get the attributes from the directory. So, i commented out all the lines in the file ldap.attrmap, which doesn't work... The server still wants to have a least one active line in the file. ----------- rlm_ldap: dictionary mappings file /etc/raddb/ldap.attrmap did not contain any mappings /etc/raddb/radiusd.conf[637]: Instantiation failed for module "ldap" ----------- Is there a way to deactivate the ldap.attrmap file? Thanks a lot! Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
Hello again,
Sebastian Heil wrote:
Is there a way to deactivate the ldap.attrmap file?
Edit the source code & re-compile.
Maybe i will try it... never done before... :-) thanks anyway. i have got another problem. since the authentication via ldap works now quite ok, i would like to try ldaps together with edirectory. what do i have to configure? i already imported the root certificate and configured the tls-section of the ldap-section like this: tls { start_tls = yes cacertfile = /etc/raddb/certs/tc_class2.pem require_cert = "demand" } but i doesn't work like this... i added the following lines to the ldap-section: port = 636 tls_mode = yes tls_require_cert = demand and i doesn't work either... part of the debug: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ************:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/tc_class2.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Any ideas? Thanks. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
Sebastian Heil wrote: ...
i added the following lines to the ldap-section: ... rlm_ldap: could not start TLS Can't contact LDAP server
Maybe you need to check that there is an LDAP server listening on that port?
Alan DeKok.
thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the communication between the freeradius and the edirectory with etherreal: Someone any idea about the "Encrypted Alert" in no. 14?? Thanks. --------------------- No. Time Source Destination Protocol Info 1 0.000000 radtestclient freeradius RADIUS Access-Request(1) (id=74, l=58) 3 0.000749 freeradius edirectory TCP 56302 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2 5 0.012986 edirectory freeradius TCP ldaps > 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676 6 0.013057 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196 7 0.013639 freeradius edirectory SSLv2 Client Hello 8 0.021887 edirectory freeradius TLSv1 Server Hello, 9 0.022035 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206 10 0.030390 edirectory freeradius TLSv1 Certificate 11 0.030550 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215 12 0.032263 freeradius edirectory TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 13 0.048990 edirectory freeradius TLSv1 Change Cipher Spec, Encrypted Handshake Message 14 0.049652 freeradius edirectory TLSv1 Encrypted Alert 15 0.049923 freeradius edirectory TCP 56302 > ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237 17 0.057441 edirectory freeradius TCP ldaps > 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 18 0.057774 edirectory freeradius TLSv1 Encrypted Alert 19 0.057807 freeradius edirectory TCP 56302 > ldaps [RST] Seq=507 Len=0 20 0.057880 edirectory freeradius TCP ldaps > 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689 21 0.057903 freeradius edirectory TCP 56302 > ldaps [RST] Seq=507 Len=0 -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
What struck me was that you need more attributes, but maybe I missed them: -cacertfile -certfile -keyfile -Josiah Sebastian Heil wrote:
Sebastian Heil wrote: ...
i added the following lines to the ldap-section:
...
rlm_ldap: could not start TLS Can't contact LDAP server
Maybe you need to check that there is an LDAP server listening on that port?
Alan DeKok.
thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the communication between the freeradius and the edirectory with etherreal:
Someone any idea about the "Encrypted Alert" in no. 14?? Thanks.
--------------------- No. Time Source Destination Protocol Info 1 0.000000 radtestclient freeradius RADIUS Access-Request(1) (id=74, l=58)
3 0.000749 freeradius edirectory TCP 56302 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2
5 0.012986 edirectory freeradius TCP ldaps > 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676
6 0.013057 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196
7 0.013639 freeradius edirectory SSLv2 Client Hello
8 0.021887 edirectory freeradius TLSv1 Server Hello,
9 0.022035 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206
10 0.030390 edirectory freeradius TLSv1 Certificate
11 0.030550 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215
12 0.032263 freeradius edirectory TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
13 0.048990 edirectory freeradius TLSv1 Change Cipher Spec, Encrypted Handshake Message
14 0.049652 freeradius edirectory TLSv1 Encrypted Alert
15 0.049923 freeradius edirectory TCP 56302 > ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237
17 0.057441 edirectory freeradius TCP ldaps > 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
18 0.057774 edirectory freeradius TLSv1 Encrypted Alert
19 0.057807 freeradius edirectory TCP 56302 > ldaps [RST] Seq=507 Len=0
20 0.057880 edirectory freeradius TCP ldaps > 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
21 0.057903 freeradius edirectory TCP 56302 > ldaps [RST] Seq=507 Len=0
-- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091
-------- Original-Nachricht --------
Datum: Wed, 30 Jan 2008 09:28:31 -0500 Von: "Wm. Josiah Erikson" <wjerikson@hampshire.edu> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: deactivate ldap.attrmap
What struck me was that you need more attributes, but maybe I missed them:
-cacertfile -certfile -keyfile
-Josiah
I also tried a configuration with these attributes, but the error was the same. in my config there is at the moment only the "cacertfile", which is needed for the check of the edirectory-server-certificate. In my opinion, i don't need the certfile and keyfile for eap-tls, because the edirectory-server doesn't check the freeradius-server-certificate. Is this correct?!? Sebastian
Sebastian Heil wrote:
Sebastian Heil wrote: ...
i added the following lines to the ldap-section:
...
rlm_ldap: could not start TLS Can't contact LDAP server
Maybe you need to check that there is an LDAP server listening on that port?
Alan DeKok.
thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the communication between the freeradius and the edirectory with etherreal:
Someone any idea about the "Encrypted Alert" in no. 14?? Thanks.
--------------------- No. Time Source Destination Protocol Info 1 0.000000 radtestclient freeradius RADIUS Access-Request(1) (id=74, l=58)
3 0.000749 freeradius edirectory TCP 56302 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2
5 0.012986 edirectory freeradius TCP ldaps > 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676
6 0.013057 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196
7 0.013639 freeradius edirectory SSLv2 Client Hello
8 0.021887 edirectory freeradius TLSv1 Server Hello,
9 0.022035 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206
10 0.030390 edirectory freeradius TLSv1 Certificate
11 0.030550 freeradius edirectory TCP 56302 > ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215
12 0.032263 freeradius edirectory TLSv1 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
13 0.048990 edirectory freeradius TLSv1 Change Cipher Spec, Encrypted Handshake Message
14 0.049652 freeradius edirectory TLSv1 Encrypted Alert
15 0.049923 freeradius edirectory TCP 56302 > ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237
17 0.057441 edirectory freeradius TCP ldaps > 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
18 0.057774 edirectory freeradius TLSv1 Encrypted Alert
19 0.057807 freeradius edirectory TCP 56302 > ldaps [RST] Seq=507 Len=0
20 0.057880 edirectory freeradius TCP ldaps > 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
21 0.057903 freeradius edirectory TCP 56302 > ldaps [RST] Seq=507 Len=0
-- Wm. Josiah Erikson Computing Support School of Cognitive Science Hampshire College Amherst, MA 01002 (413) 559-6091
-- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
-------- Original-Nachricht --------
Datum: Wed, 30 Jan 2008 09:28:31 -0500 Von: "Wm. Josiah Erikson" <wjerikson@hampshire.edu> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: deactivate ldap.attrmap
What struck me was that you need more attributes, but maybe I missed them:
-cacertfile -certfile -keyfile
-Josiah
I also tried a configuration with these attributes, but the error was the same. in my config there is at the moment only the "cacertfile", which is needed for the check of the edirectory-server-certificate. In my opinion, i don't need the certfile and keyfile for eap-tls, because the edirectory-server doesn't check the freeradius-server-certificate. Is this correct?!?
Sebastian
Sebastian Heil wrote:
Sebastian Heil wrote: ...
i added the following lines to the ldap-section:
...
rlm_ldap: could not start TLS Can't contact LDAP server
Maybe you need to check that there is an LDAP server listening on that port?
Alan DeKok.
thanks for your fast answer, alan. but i am afraid, this is not the solution... the ldap-server is listening and even responding to my ldap-request. i captured the
communication
between the freeradius and the edirectory with etherreal:
Someone any idea about the "Encrypted Alert" in no. 14?? Thanks.
--------------------- No. Time Source Destination
Protocol Info
1 0.000000 radtestclient freeradius RADIUS
Access-Request(1) (id=74, l=58)
3 0.000749 freeradius edirectory TCP
56302 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2
5 0.012986 edirectory freeradius TCP
ldaps > 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0 TSV=3386151196 TSER=445748676
6 0.013057 freeradius edirectory TCP
56302 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679 TSER=3386151196
7 0.013639 freeradius edirectory SSLv2
Client Hello
8 0.021887 edirectory freeradius TLSv1
Server Hello,
9 0.022035 freeradius edirectory TCP
56302 > ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682 TSER=3386151206
10 0.030390 edirectory freeradius TLSv1
Certificate
11 0.030550 freeradius edirectory TCP
56302 > ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684 TSER=3386151215
12 0.032263 freeradius edirectory TLSv1
Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
13 0.048990 edirectory freeradius TLSv1
Change Cipher Spec, Encrypted Handshake Message
14 0.049652 freeradius edirectory TLSv1
Encrypted Alert
15 0.049923 freeradius edirectory TCP
56302 > ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689 TSER=3386151237
17 0.057441 edirectory freeradius TCP
ldaps > 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
18 0.057774 edirectory freeradius TLSv1
Encrypted Alert
19 0.057807 freeradius edirectory TCP
56302 > ldaps [RST] Seq=507 Len=0
20 0.057880 edirectory freeradius TCP
ldaps > 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247 TSER=445748689
21 0.057903 freeradius edirectory TCP
56302 > ldaps [RST] Seq=507 Len=0
I think, i found the problem. the client starts the session with the client hello-packet. I think, the protocol of the client-hello-packet is wrong, its not tls, but sslv2. for example in sslv2 the random-number is missing. Is there a way to change the client-hello packet to tls, not sslv2? Thanks in advance. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
Le mercredi 30 janvier 2008, Sebastian Heil a écrit :
Sebastian Heil wrote: ...
i added the following lines to the ldap-section:
...
rlm_ldap: could not start TLS Can't contact LDAP server
It doesn't seem that your TLS is well initiated. I don't think it is an ldap or freeradius issue. In a first time, perhaps you could try your conf without the TLS tunnel.
14 0.049652 freeradius edirectory TLSv1 Encrypted Alert
Le mercredi 30 janvier 2008, Sebastian Heil a écrit :
Sebastian Heil wrote: ...
i added the following lines to the ldap-section:
...
rlm_ldap: could not start TLS Can't contact LDAP server
It doesn't seem that your TLS is well initiated. I don't think it is an ldap or freeradius issue.
Maybe... maybe not... i dont know... the configuration-options for ldaps are not really good documented, i think. how can i confirm, which software produces this problem? In a first time, perhaps you could try your conf
without the TLS tunnel.
My configuration works with "normal" ldap. so i tried to "upgrade" to ldaps, which didn't work.
14 0.049652 freeradius edirectory TLSv1 Encrypted Alert
Any ideas which problem can produce this "encrypted alert"? Thanks a lot. Sebastian -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
Le jeudi 31 janvier 2008, Sebastian Heil a écrit :
Le mercredi 30 janvier 2008, Sebastian Heil a écrit :
Sebastian Heil wrote: ...
i added the following lines to the ldap-section:
...
rlm_ldap: could not start TLS Can't contact LDAP server
It doesn't seem that your TLS is well initiated. I don't think it is an ldap or freeradius issue.
Maybe... maybe not... i dont know... the configuration-options for ldaps are not really good documented, i think.
how can i confirm, which software produces this problem?
In a first time, perhaps you could try your conf
without the TLS tunnel.
My configuration works with "normal" ldap. so i tried to "upgrade" to ldaps, which didn't work.
The hypothesis of the TLS problem seems to be confirmed.
14 0.049652 freeradius edirectory TLSv1 Encrypted Alert
Any ideas which problem can produce this "encrypted alert"?
It is a really difficult question (for me at least). Using wireshark, you could have a more precise view of the message sent from freeradius to ldap. There is a lot of things that can produce the failure of the init of a TLS tunnel. Bad certificats, failure of the negociation of the cryptographic protocols, etc.
UNCLASSIFIED -----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Sebastian Heil Sent: Wednesday, 30 January 2008 20:08 To: FreeRadius users mailing list Subject: Re: deactivate ldap.attrmap Hello again,
Sebastian Heil wrote:
Is there a way to deactivate the ldap.attrmap file?
Edit the source code & re-compile.
Maybe i will try it... never done before... :-) thanks anyway. i have got another problem. since the authentication via ldap works now quite ok, i would like to try ldaps together with edirectory. what do i have to configure? i already imported the root certificate and configured the tls-section of the ldap-section like this: tls { start_tls = yes cacertfile = /etc/raddb/certs/tc_class2.pem require_cert = "demand" } but i doesn't work like this... i added the following lines to the ldap-section: port = 636 tls_mode = yes tls_require_cert = demand and i doesn't work either... part of the debug: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ************:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/tc_class2.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Any ideas? Thanks. Sebastian I have seen the later comments in the thread, but I think the problem is that you need to choose whether to use tls or ssl. If you use tls, you should connect to port 389 and issue start-tls. If you use ssl you connect to 636 and don't do start-tls. Doing both, ie connect to 636 and issue start-tls is probably a bad thing. Another this you could try is to ark up an openldap server on a linux box. You can run the server with debugging switched on and see the entire certificate negotiation from the servers point of view. Regards, Frankl Ranner
I have seen the later comments in the thread, but I think the problem is that you need to choose whether to use tls or ssl. If you use tls, you should connect to port 389 and issue start-tls. If you use ssl you connect to 636 and don't do start-tls. Doing both, ie connect to 636 and issue start-tls is probably a bad thing.
Another this you could try is to ark up an openldap server on a linux box. You can run the server with debugging switched on and see the entire certificate negotiation from the servers point of view.
Regards, Frankl Ranner
The problem is now fixed. First, i activated the complete debug of the ldap module with "ldap_debug =0xFFFF". (Thanks Novell!) So, in this debug, i saw, that the cn in the certificate differs from the name of the server. so, i fixed this in my configuration, and everything works fine now. How can I/we improve the documentation of the ldap module? for example: it should be mentioned, that you need the config "ldap_debug =0xFFFF" for the complete ldap debug... and a few other things like the undocumented config-option "port"... it should be added to the config-file. what do the others think? Thanks for all the support! great job! Sebastian -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
Sebastian Heil wrote:
The problem is now fixed. First, i activated the complete debug of the ldap module with "ldap_debug =0xFFFF". (Thanks Novell!) So, in this debug, i saw, that the cn in the certificate differs from the name of the server. so, i fixed this in my configuration, and everything works fine now.
How can I/we improve the documentation of the ldap module? for example: it should be mentioned, that you need the config "ldap_debug =0xFFFF" for the complete ldap debug... and a few other things like the undocumented config-option "port"... it should be added to the config-file.
doc/DIFFS As always, patches are welcome. Even to documentation. Alan DeKok.
participants (5)
-
Alan DeKok -
Ranner, Frank MR -
Sebastian Heil -
Thierry CHICH -
Wm. Josiah Erikson