Hi! I have freeradius 1.1.0 working and I want to have a redundant/load balancing mecanism but when I use TLS to secure the communication with the ldaps, FR only works with one server (eg: ldapmaster). The log says that it cannot contact the other server (eg: ldapslave). But if I use one ldap in clear-text communication, it works perfectly, that is I have redundant load balancing with one LDAP/TLS and another LDAP/clear. Of course it's not what I want. :-) My configurations are: modules { ... ldap ldapmaster { server = "checkpoint2" port = 636 basedn = "ou=users,dc=ual,dc=pt" filter = "(mail=%{User-Name})" dictionary_mapping = ${raddbdir}/ldap.attrmap timeout = 60 timelimit = 60 net_timeout = 60 ldap_connections_number = 30 access_attr = "radiusClientIPAddress" start_tls = no tls_cacertfile = ${raddbdir}/1x/checkpoint2.pem tls_certfile = ${raddbdir}/1x/checkpoint2.pem tls_keyfile = ${raddbdir}/1x/checkpoint2.pem } ldap ldapslave { server = "checkpoint" port = 636 basedn = "ou=users,dc=ual,dc=pt" filter = "(mail=%{User-Name})" dictionary_mapping = ${raddbdir}/ldap.attrmap timeout = 60 timelimit = 60 net_timeout = 60 ldap_connections_number = 30 access_attr = "radiusClientIPAddress" start_tls = no tls_cacertfile = ${raddbdir}/1x/checkpoint.pem tls_certfile = ${raddbdir}/1x/checkpoint.pem tls_keyfile = ${raddbdir}/1x/checkpoint.pem } ... } .... redundant-load-balance { ldapmaster ldapslave } Any idea? TIA. -- Atentamente, ------------------------------------ |Paulo Cabrita, Msc | |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: pjc@ual.pt | ------------------------------------
Paulo Cabrita <pjc@ual.pt> wrote:
I have freeradius 1.1.0 working and I want to have a redundant/load balancing mecanism but when I use TLS to secure the communication with the ldaps, FR only works with one server (eg: ldapmaster). The log says that it cannot contact the other server (eg: ldapslave). But if I use one ldap in clear-text communication, it works perfectly, that is I have redundant load balancing with one LDAP/TLS and another LDAP/clear. Of course it's not what I want. :-)
I don't see why using TLS or not would make any difference to the load balancing. Could you post the errors? Alan DeKok.
Hi Alan. I made a little more debug on this matter and I discovered that the error is that FR doesn't like the CA: TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=PT/ST=Lisbon/L=Lisbon/O=UAL/OU=CI/CN=checkpoint2/emailAddress=ci@ual.pt, issuer: /C=PT/ST=Lisbon/L=Lisbon/O=UAL/OU=CI/CN=checkpoint2/emailAddress=ci@ual.pt TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. If I use only one LDAP server (the same that gave an error) I don't have any problem with the TLS stuff. The problem is with the combination of the two self signed certificate (one for each LDAP server, of course). So, isolated the master and the slave work perfectly but in combination with TLS, only one works... I don't know what to try more because I believe I have everything well configured. :-( Here's the most important of my debug: (without ldap_debug = 0xFFFF) ... ldap: server = "checkpoint2" ldap: port = 636 ldap: net_timeout = 60 ldap: timeout = 60 ldap: timelimit = 60 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem" ldap: tls_keyfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ... Module: Instantiated ldap (ldapmaster) ldap: server = "checkpoint" ldap: port = 636 ldap: net_timeout = 60 ldap: timeout = 60 ldap: timelimit = 60 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem" ldap: tls_keyfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ... Module: Instantiated ldap (ldapslave) ... radius_xlat: '(mail=ei20020280@students.ual.pt)' radius_xlat: 'ou=users,dc=ual,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to checkpoint:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/radius/etc/raddb/1x/checkpoint.pem rlm_ldap: setting TLS Cert File to /usr/local/radius/etc/raddb/1x/checkpoint.pem rlm_ldap: setting TLS Key File to /usr/local/radius/etc/raddb/1x/checkpoint.pem rlm_ldap: bind as / to checkpoint:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful ... radius_xlat: '(mail=ei20010469@students.ual.pt)' radius_xlat: 'ou=users,dc=ual,dc=pt' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to checkpoint2:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/radius/etc/raddb/1x/checkpoint2.pem rlm_ldap: setting TLS Cert File to /usr/local/radius/etc/raddb/1x/checkpoint2.pem rlm_ldap: setting TLS Key File to /usr/local/radius/etc/raddb/1x/checkpoint2.pem rlm_ldap: bind as / to checkpoint2:636 rlm_ldap: bind to checkpoint2:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldapmaster" returns fail for request 5 ... Alan DeKok wrote:
Paulo Cabrita <pjc@ual.pt> wrote:
I have freeradius 1.1.0 working and I want to have a redundant/load balancing mecanism but when I use TLS to secure the communication with the ldaps, FR only works with one server (eg: ldapmaster). The log says that it cannot contact the other server (eg: ldapslave). But if I use one ldap in clear-text communication, it works perfectly, that is I have redundant load balancing with one LDAP/TLS and another LDAP/clear. Of course it's not what I want. :-)
I don't see why using TLS or not would make any difference to the load balancing.
Could you post the errors?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Atentamente, ------------------------------------ |Paulo Cabrita, Msc | |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: pjc@ual.pt | ------------------------------------
Paulo Cabrita <pjc@ual.pt> wrote:
I made a little more debug on this matter and I discovered that the error is that FR doesn't like the CA:
...
TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA
That's an SSL error. FreeRADIUS has little control over it. FreeRADIUS is calling the LDAP client library, and asking it to use a particular CA for one ldap instance. FreeRADIUS does that again for the other ldap instance. My guess is that the LDAP client library, or OpenSSL, over-writes the first CA with the second one. You should be able to verify this by listing the master & slave ldap names in the "instantiate" section. That forces the server to initialize the modules in a particular order. Then, test the server. You should see that the *first* module listed in "instantiate" fails, and the second succeeds. Stop the server, and swap the order in the "instantiate" section. You should again see that the first listed one fails, and the second succeeds. If that happens, it's either a bug in the OpenLDAP client libraries, or in OpenSSL. I'm not sure there's anything you can do to FreeRADIUS to fix it. The only option to make it work is to have both certs signed by the same CA. In that case, it doesn't matter that the first gets over-written by the second, because they're both the same. Alan DeKok.
Paulo Cabrita <pjc@ual.pt> wrote: ... See: http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?... ... static char *tls_opt_cacertfile = NULL; ... Yup. It's a bug in the OpenLDAP client library. They don't support multiple users of LDAP connections in the same program. I'll file a bug with the OpenLDAP project. Alan DeKok.
Thanks Alan. Nevertheless I will try the solution of one CA for the two servers, if it's the same, it will probably work I will post the result later. Cheers. Alan DeKok wrote:
Paulo Cabrita <pjc@ual.pt> wrote: ...
See:
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?...
... static char *tls_opt_cacertfile = NULL; ...
Yup. It's a bug in the OpenLDAP client library. They don't support multiple users of LDAP connections in the same program.
I'll file a bug with the OpenLDAP project.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Atentamente, ------------------------------------ |Paulo Cabrita, Msc | |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: pjc@ual.pt | ------------------------------------
Hi Alan, I saw the code a little closer and I think it's not worthy to try to have one CA and two certificate for each server. The LDAP client only support the data for one connection... static char *tls_opt_certfile = NULL; static char *tls_opt_keyfile = NULL; static char *tls_opt_dhfile = NULL; static char *tls_opt_cacertfile = NULL; static char *tls_opt_cacertdir = NULL; What do you think? Alan DeKok wrote:
Paulo Cabrita <pjc@ual.pt> wrote: ...
See:
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls.c?...
... static char *tls_opt_cacertfile = NULL; ...
Yup. It's a bug in the OpenLDAP client library. They don't support multiple users of LDAP connections in the same program.
I'll file a bug with the OpenLDAP project.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Atentamente, ------------------------------------ |Paulo Cabrita, Msc | |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: pjc@ual.pt | ------------------------------------
Paulo Cabrita <pjc@ual.pt> wrote:
I saw the code a little closer and I think it's not worthy to try to have one CA and two certificate for each server. The LDAP client only support the data for one connection...
static char *tls_opt_certfile = NULL;
Yes, that's exactly what I said. Alan DeKok.
participants (3)
-
Alan DeKok -
Alan DeKok -
Paulo Cabrita