Hi, I'm trying to authorize users in different AD's (2003 and 2008), but I keep running into an error I can't find any thing on when I google it. For the purpose of the testing I have set the following in the ldap section: require_cert Freeradius tries to connect to the ldap server (2008), the connection fails and I get the following debug output. ============================ DEBUG ======================================= [ldap_CustA] performing user authorization for MyAccount [ldap_CustA] expand: (&(sAMAccountName=%{User-Name})) -> (&(sAMAccountName=MyAccount)) [ldap_CustA] expand: ou=OU1,ou=OU2,dc=domain,dc=local -> ou=OU1,ou=OU2,dc=domain,dc=local [ldap_CustA] ldap_get_conn: Checking Id: 0 [ldap_CustA] ldap_get_conn: Got Id: 0 [ldap_CustA] attempting LDAP reconnection [ldap_CustA] (re)connect to AD-IP-ADDRESS:636, authentication 0 [ldap_CustA] setting TLS mode to 1 [ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem [ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/ [ldap_CustA] setting TLS Require Cert to never [ldap_CustA] setting TLS Cert File to /etc/raddb/certs/server.crt [ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random [ldap_CustA] bind as user@domain.local/PASSWORD to 193.47.81.75:636 TLS: could not add the certificate PEM Token #0:server.crt - 0 - error -8192:Unknown code ___f 0. TLS: error: could not initialize moznss security context - error -8192:Unknown code ___f 0 TLS: can't create ssl handle. =========================================================================== ======================= CONFIG SNIP ========================================= tls { start_tls = no cacertfile = /etc/raddb/certs/ca.pem cacertdir = /etc/raddb/certs/ certfile = /etc/raddb/certs/server.crt keyfile = /etc/raddb/certs/server.key randfile = /etc/raddb/certs/random require_cert = "never" } =========================================================================== I'm wondering why the random file is set as a TLS Key, and also what exactly is going wrong since I get the error for the PEM Token? Thank you for your help. -- Thanks for your help Frank
On 11/06/2011 09:04 AM, Frank Skovboel wrote:
Hi,
I'm trying to authorize users in different AD's (2003 and 2008), but I keep running into an error I can't find any thing on when I google it.
For the purpose of the testing I have set the following in the ldap section: require_cert
Freeradius tries to connect to the ldap server (2008), the connection fails and I get the following debug output.
============================ DEBUG ======================================= [ldap_CustA] performing user authorization for MyAccount [ldap_CustA] expand: (&(sAMAccountName=%{User-Name})) -> (&(sAMAccountName=MyAccount)) [ldap_CustA] expand: ou=OU1,ou=OU2,dc=domain,dc=local -> ou=OU1,ou=OU2,dc=domain,dc=local [ldap_CustA] ldap_get_conn: Checking Id: 0 [ldap_CustA] ldap_get_conn: Got Id: 0 [ldap_CustA] attempting LDAP reconnection [ldap_CustA] (re)connect to AD-IP-ADDRESS:636, authentication 0 [ldap_CustA] setting TLS mode to 1 [ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem [ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/ [ldap_CustA] setting TLS Require Cert to never [ldap_CustA] setting TLS Cert File to /etc/raddb/certs/server.crt [ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random
This is a logging bug in FreeRADIUS; the code seems to have been copy & pasted. It *is* setting the randfile option, but it's logging the wrong thing (key file). It can be ignored.
[ldap_CustA] bind as user@domain.local/PASSWORD to 193.47.81.75:636 TLS: could not add the certificate PEM Token #0:server.crt - 0 - error -8192:Unknown code ___f 0. TLS: error: could not initialize moznss security context - error -8192:Unknown code ___f 0
Well that's a new one on me. Which version of FreeRADIUS are you using, on which OS? Which LDAP libraries are you linking against? I'm guessing you're on a RedHat based system, judging from the fact the LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under the hood? Where did "server.crt" come from? I presume it's a copy of the LDAP server cert, signed by the CA in "ca.pem"? Do you need it? You can probably just give the CA cert, for a connection to an LDAP server.
[ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random
This is a logging bug in FreeRADIUS; the code seems to have been copy & pasted. It *is* setting the randfile option, but it's logging the wrong thing (key file). It can be ignored.
Okay thank you.
[ldap_CustA] bind as user@domain.local/PASSWORD to 193.47.81.75:636 TLS: could not add the certificate PEM Token #0:server.crt - 0 - error -8192:Unknown code ___f 0. TLS: error: could not initialize moznss security context - error -8192:Unknown code ___f 0
Well that's a new one on me.
Which version of FreeRADIUS are you using, on which OS? Which LDAP libraries are you linking against?
I did not compile it, I used yum (CentOS) to install it. is there any way for me to see this?
I'm guessing you're on a RedHat based system, judging from the fact the LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under the hood?
yes it's CentOS.
Where did "server.crt" come from? I presume it's a copy of the LDAP server cert, signed by the CA in "ca.pem"? Do you need it? You can probably just give the CA cert, for a connection to an LDAP server.
They were all generated by bootstrap as part of the default installation. I'll try with only giving he cacertfile cacertdir when doing that it I get the following (sanitized): [ldap_CustA] setting TLS mode to 1 [ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem [ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/ [ldap_CustA] setting TLS Require Cert to never [ldap_CustA] bind as MyUser@domain.local/MyPassword to 193.47.81.75:636 TLS: certificate [CN=server.domain.local] is not valid - CA cert is not valid TLS: certificate [CN=server.domain.local] is not valid - error -8102:Unknown code ___f 90. TLS: certificate [CN=server.domain.local] is not valid - error -8172:Unknown code ___f 20. TLS: error: connect - force handshake failure: errno 0 - moznss error -8157 TLS: can't connect: TLS error -8157:Unknown code ___f 35. [ldap_CustA] MyUser@domain.local bind to 1.1.1.1:636 failed: Can't contact LDAP server [ldap_CustA] (re)connection attempt failed If I'm reading that correctly the certificates in the AD is not setup right? -- Thanks, Frank
Hi,
tls { start_tls = no
cacertfile = /etc/raddb/certs/ca.pem cacertdir = /etc/raddb/certs/ certfile = /etc/raddb/certs/server.crt keyfile = /etc/raddb/certs/server.key randfile = /etc/raddb/certs/random require_cert = "never"
are these certs for the LDAP connectin - or are these your main certs for the client connections - as the directory looks to be the same. ensure you have seperate config for your RADIUS<->LDAP connection... is the CRT file PEM readable? - ie use openssl tool to check your cert alan
----- Original Message -----
From: "Alan Buxey" <A.L.M.Buxey@lboro.ac.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Sunday, November 6, 2011 10:59:43 AM Subject: Re: ldap tls in freeradius
Hi,
tls { start_tls = no
cacertfile = /etc/raddb/certs/ca.pem cacertdir = /etc/raddb/certs/ certfile = /etc/raddb/certs/server.crt keyfile = /etc/raddb/certs/server.key randfile = /etc/raddb/certs/random require_cert = "never"
are these certs for the LDAP connectin - or are these your main certs for the client connections - as the directory looks to be the same. ensure you have seperate config for your RADIUS<->LDAP connection...
is the CRT file PEM readable? - ie use openssl tool to check your cert
The snippet above is from the ldap setup. I do not expect to use EAP, so the certs are only to connect to the ldap servers. I'm new to openssl, but I did manage to find the syntax for reading the PEM crt file with -noout -text, and it give me the certificate data. The directory that I pointed to were the one that bootstrap automatically created. Do I need to create new certificates for the ldap lookup (if so is there a guide some where)? What is required (eg. key = values etc) in order to do a secure LDAP lookup in a remote AD. I would also like (for testing) to ensure that the ldap lookup does not try to validate the ldap server certificate I assume that "require_cert" does this for me? -- Thanks, Frank
Hi,
I do not expect to use EAP, so the certs are only to connect to the ldap servers. I'm new to openssl, but I did manage to find the syntax for reading the PEM crt file with -noout -text, and it give me the certificate data.
okay
The directory that I pointed to were the one that bootstrap automatically created. Do I need to create new certificates for the ldap lookup (if so is there a guide some where)?
err, yes. those certs made by bootstrap are SSL certs for the EAP part of the server - for clients to talk to your RADIUS server. for you to use LDAP with TLS, you will need to get a copy of the CA file for the CA that signs your LDAP server.... you can then also get a copy of the LDAP cert if you wish to set it - though I think that can be automatically provisioned in the TLS setup should you not wish to be paranoid
What is required (eg. key = values etc) in order to do a secure LDAP lookup in a remote AD. I would also like (for testing) to ensure that the ldap lookup does not try to validate the ldap server certificate I assume that "require_cert" does this for me?
as above...get a copy of the CA file that signs the LDAP/AD server and get a copy of the LDAP server cert. the stuff you've configured is for EAP server component alan
On 11/06/2011 11:37 AM, Frank Skovboel wrote:
The directory that I pointed to were the one that bootstrap automatically created. Do I need to create new certificates for the ldap lookup (if so is there a guide some where)?
As others have pointed out, that's wrong. The bootstrap certs are a fake CA & server cert, which you can use to test EAP. If you want to use LDAPS as a *client*, you need to obtain the CA cert which signs the LDAP server cert, and reference (probably only) that in the ldap "tls {}" block
participants (3)
-
Alan Buxey -
Frank Skovboel -
Phil Mayers