Thank you all, I think it's time for me to give back to the community now ... I m planning to add something on the how-to if the admins allow me to :) Regards On 5 May 2016 at 07:41, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: LDAP CONFIGURATION IN FreeRadius (WINANT, KEVIN) 2. RE: LDAP CONFIGURATION IN FreeRadius (Alan Buxey) 3. Re: Problem with multiple LDAP servers (Alan Buxey) 4. RE: LDAP CONFIGURATION IN FreeRadius (WINANT, KEVIN) 5. Re: Problem with multiple LDAP servers (Arran Cudbard-Bell) 6. Re: 802.1X Extra Miles (Johnny R)
----------------------------------------------------------------------
Message: 1 Date: Wed, 4 May 2016 22:20:56 +0000 From: "WINANT, KEVIN" <KW517G@att.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: LDAP CONFIGURATION IN FreeRadius Message-ID: < 751C2B6C8900694381C6D7090C243EA3216019E5@MISOUT7MSGUSRCB.ITServices.sbc.com
Content-Type: text/plain; charset="us-ascii"
Sorry am not trying to move/upgrade anything to v3 at this time. I am trying to see my LDAP configuration for our External LDAP server. I am trying to see which port LDAP is using. If port 389 I will have no issue when the EXTERNAL LDAP server begins using SHA256 certs. If configured to use 636, I then need to identify the ROOT CA and serial number being used by FreeRadius and verify it is the SAME Root CA and serial number the External LDAP server is using. Apologies for the original looooooooong sentence.
On 4 May 2016, at 12:43, WINANT, KEVIN <KW517G@att.com> wrote:
Version is 2.1.1 which we found is EOL and looking to go to V3. Did the debug and looks like it loads up > "including configuration file /etc/raddb/modules/ldap" Looking in there do not find the hostname or IP of the external LDAP server in there.
Uh nope, don't try and use your v2.x.x config with v3.0.x. Just rebuild it using a stock v3.0.x config.
Reason trying to see LDAP settings is Company in installing SHA256 certs on the External LDAP server soon. I am trying to determine if LDAP is configured to use port 389 (unsecure) and there will be NO IMPACT to our servers communicating to External LDAP server or IF LDAP is configured to use port 636 (secure) then I would then need to find out if ROOT CA freeradius is using is same ROOT CA External LDAP server is using along with the same serial number.
Wow it may be the altitude but that extremely long sentence made absolutely no sense to me. Could you try rephrasing?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
------------------------------
Message: 2 Date: Wed, 4 May 2016 23:43:01 +0100 From: Alan Buxey <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>, "WINANT, KEVIN" <KW517G@att.com> Subject: RE: LDAP CONFIGURATION IN FreeRadius Message-ID: <13EA1E61-38A4-4E5B-82C4-DB4C8CD2077E@lboro.ac.uk> Content-Type: text/plain; charset="UTF-8"
Ummmm. Surely you want to use protection if its out in the cloud anyway??
You can view connecting to ldap using eg netstat and tcpdump
However, regarding the root CA for ldap. Its entirely different (or can be!) To that used by freeradius for clients (PEAP etc). So, grab the required root CA of the ldap server and is server cert and use those in your config. PS ldap stuff is very much refreshed in v3 - many more options etc and a far better connection pool (could be ideal for WAN based ldap servers)
alan
------------------------------
Message: 3 Date: Wed, 4 May 2016 23:50:04 +0100 From: Alan Buxey <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>, Arran Cudbard-Bell <a.cudbardb@freeradius.org> Subject: Re: Problem with multiple LDAP servers Message-ID: <87238DE7-BEAA-4CD8-BB2F-E5016A86901F@lboro.ac.uk> Content-Type: text/plain; charset="UTF-8"
Ah!
Of course, now I'm using multiple ldap configs I've now hit the too many files open issue.
Which causes all sorts of interesting failure modes. Obvious when sql connection can't work - the cause is printed out. ... but it was failing in reading the root cert used for ldap instance 5 and claimed it couldn't read the file, x509 issue. Given that using ulimit fixed this. ...... i guess if the failure is when spawning some Ssl stuff you can't do anything about it?
I've updated /etc/security/limits.conf - giving radius user more soft/hard files... but that didn't work .. even though the server is using radius/radius the limits seem to require root limits to be modified . Looking at adjusting the systemd script right now but it'll catch out any local admins trying to do eg radiusd -X ;)
alan
------------------------------
Message: 4 Date: Wed, 4 May 2016 22:57:22 +0000 From: "WINANT, KEVIN" <KW517G@att.com> To: Alan Buxey <A.L.M.Buxey@lboro.ac.uk>, FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: LDAP CONFIGURATION IN FreeRadius Message-ID: < 751C2B6C8900694381C6D7090C243EA321601A4C@MISOUT7MSGUSRCB.ITServices.sbc.com
Content-Type: text/plain; charset="utf-8"
Thanks Alan, This is all on the companies INTRANET. No connectivity/access to Internet/Cloud. The LDAP config and Cert I am trying to verify is for the ssl connection between the FreeRadius servers and the LDAP server itself when queries sent to the LDAP server. Someplace in Free Radius I am thinking it would tell us which ROOT CA (Certificate Authority) cert and serial number it is using and via what port. (although if using port 389 for LDAP,,I figure it is not using a cert at all) Once I can locate that info I can compare to the ROOT CA and serial the LDAP server uses. If the same we’re good to go when External LDAP server installs SHA256 certs shortly. Original FreeRadius SME is no longer with us, hence the queries.
From: Alan Buxey [mailto:A.L.M.Buxey@lboro.ac.uk] Sent: Wednesday, May 04, 2016 6:43 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; WINANT, KEVIN <KW517G@att.com> Subject: RE: LDAP CONFIGURATION IN FreeRadius
Ummmm. Surely you want to use protection if its out in the cloud anyway??
You can view connecting to ldap using eg netstat and tcpdump
However, regarding the root CA for ldap. Its entirely different (or can be!) To that used by freeradius for clients (PEAP etc). So, grab the required root CA of the ldap server and is server cert and use those in your config. PS ldap stuff is very much refreshed in v3 - many more options etc and a far better connection pool (could be ideal for WAN based ldap servers)
alan
------------------------------
Message: 5 Date: Wed, 4 May 2016 18:08:14 -0600 From: Arran Cudbard-Bell <a.cudbardb@freeradius.org> To: Alan Buxey <A.L.M.Buxey@lboro.ac.uk> Cc: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Problem with multiple LDAP servers Message-ID: <218D846B-D921-47AD-AD96-0D316D580E56@freeradius.org> Content-Type: text/plain; charset="utf-8"
On 4 May 2016, at 15:50, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Ah!
Of course, now I'm using multiple ldap configs I've now hit the too many files open issue.
You hit a file descriptor limit? How many connections are you opening? How many servers are you talking to?
Unfortunately from a long term architecture point of view, having one connection per working thread is desirable, so there's not much we can do to fix that.
Which causes all sorts of interesting failure modes. Obvious when sql connection can't work - the cause is printed out. ... but it was failing in reading the root cert used for ldap instance 5 and claimed it couldn't read the file, x509 issue.
Heh. Yeah that's far outside of our control, deep inside whatever libldap happens to be using for TLS.
Given that using ulimit fixed this. ...... i guess if the failure is when spawning some Ssl stuff you can't do anything about it?
It failed when instantiating the module, right? Not when opening a connection?
That'll be when it creates the new SSL_CTX.
I've updated /etc/security/limits.conf - giving radius user more soft/hard files... but that didn't work .. even though the server is using radius/radius the limits seem to require root limits to be modified . Looking at adjusting the systemd script right now but it'll catch out any local admins trying to do eg radiusd -X ;)
If you do sudo radiusd -X it'll change to the correct user IIRC.
Only when you run it with usual user privs, will it stick to that user.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I think it's time for me to give back to the community now ... I m planning to add something on the how-to if the admins allow me to :)
If you have a Github account, you can edit the Wiki, or you can contribute to the effort by submitting pull requests to FreeRADIUS :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
participants (2)
-
3@D4rkn3ss DuMb -
Stefan Paetow