FreeRadius LDAP connection to Google Workspce
I am running into an issue with connecting to Google LDAP service (1), oddly enough if I change it from ldaps://ldap.google.com:636 to just ldap://ldap.xxxxxxxxxx it will “connect” but it will change the port to 389. (2) When its on the ldap version it will run but says it fails - ldap: ERROR: Failed performing search: Confidentiality required (1) rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Bind with admin@foundationacademy.net to ldaps://ldap.google.com:636 failed: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module "ldap" (2) rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.google.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = fail (0) } # authorize = fail (0) Invalid user (ldap: Failed performing search: Confidentiality required): I have included the full code below. (1) root@FreeRadius:~# freeradius -X FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/ldap including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/files including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel including configuration file /etc/freeradius/3.0/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm foundationacademy.net { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 172.16.13.29 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = ldap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest radiusd: #### Instantiating modules #### modules { # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_ldap # Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap ldap { server = "ldaps://ldap.google.com" identity = "admin@foundationacademy.net" password = <<< secret >>> sasl { } user_dn = "LDAP-UserDn" user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" cacheable_name = no cacheable_dn = no allow_dangling_group_ref = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "dc=foundationacademy,dc=net" } profile { } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } Creating attribute LDAP-Group # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀ ÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } instantiate { } # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20449 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Bind with admin@foundationacademy.net to ldaps://ldap.google.com:636 failed: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
On Oct 1, 2021, at 9:02 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
I am running into an issue with connecting to Google LDAP service (1), oddly enough if I change it from ldaps://ldap.google.com:636 to just ldap://ldap.xxxxxxxxxx it will “connect” but it will change the port to 389. (2) When its on the ldap version it will run but says it fails - ldap: ERROR: Failed performing search: Confidentiality required
Google has docs here: https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius Note that the recommendation to force "Auth-Type = LDAP" is wrong and stupid. I've filed numerous requests to fix it, and they all get ignored. So follow their directions for configuring the LDAP module. Ignore everything else. Alan DeKok.
When I add the if statement I get this error /etc/freeradius/3.0/sites-enabled/default[451]: Invalid location for 'if' Errors reading or parsing /etc/freeradius/3.0/radiusd.conf On Oct 1, 2021, 9:05 AM -0400, Alan DeKok <aland@deployingradius.com>, wrote:
On Oct 1, 2021, at 9:02 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
I am running into an issue with connecting to Google LDAP service (1), oddly enough if I change it from ldaps://ldap.google.com:636 to just ldap://ldap.xxxxxxxxxx it will “connect” but it will change the port to 389. (2) When its on the ldap version it will run but says it fails - ldap: ERROR: Failed performing search: Confidentiality required
Google has docs here:
https://support.google.com/a/answer/9089736?hl=en#zippy=%2Cfreeradius
Note that the recommendation to force "Auth-Type = LDAP" is wrong and stupid. I've filed numerous requests to fix it, and they all get ignored.
So follow their directions for configuring the LDAP module. Ignore everything else.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 1, 2021, at 9:29 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
When I add the if statement I get this error
/etc/freeradius/3.0/sites-enabled/default[451]: Invalid location for 'if' Errors reading or parsing /etc/freeradius/3.0/radiusd.conf
So... don't put the "if" statement there? I also said to configure the LDAP module. And ignore everything else. Perhaps just edit mods-available/ldap as I suggested, and try that? Alan DeKok.
Started from a completely fresh ubuntu and follow exactly what you stated, still got the same error rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Bind with cn=admin,dc=foundationacademy,dc=net to ldaps://ldap.google.com:636 failed: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module "ldap" On Oct 1, 2021, 9:34 AM -0400, Alan DeKok <aland@deployingradius.com>, wrote:
On Oct 1, 2021, at 9:29 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
When I add the if statement I get this error
/etc/freeradius/3.0/sites-enabled/default[451]: Invalid location for 'if' Errors reading or parsing /etc/freeradius/3.0/radiusd.conf
So... don't put the "if" statement there?
I also said to configure the LDAP module. And ignore everything else. Perhaps just edit mods-available/ldap as I suggested, and try that?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 1, 2021, at 10:03 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
Started from a completely fresh ubuntu and follow exactly what you stated, still got the same error
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Bind with cn=admin,dc=foundationacademy,dc=net to ldaps://ldap.google.com:636 failed: Can't contact LDAP server
Then use wireshark / pap to see what's going on in the network. If the LDAP libraries give us only a "can't contact" error, then there isn't much more information available. Alan DeKok.
I think I found it in wireshark am I looking for something specific? I see the data go out and hits the server and comes back but nothing stands out as an error. On Oct 1, 2021, 10:05 AM -0400, Alan DeKok <aland@deployingradius.com>, wrote:
On Oct 1, 2021, at 10:03 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
Started from a completely fresh ubuntu and follow exactly what you stated, still got the same error
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 TLS: can't connect: (unknown error code). rlm_ldap (ldap): Bind with cn=admin,dc=foundationacademy,dc=net to ldaps://ldap.google.com:636 failed: Can't contact LDAP server
Then use wireshark / pap to see what's going on in the network. If the LDAP libraries give us only a "can't contact" error, then there isn't much more information available.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 1, 2021, at 10:22 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
I think I found it in wireshark am I looking for something specific? I see the data go out and hits the server and comes back but nothing stands out as an error.
What data is going out? What is coming back? It's all LDAP magic. I can't really help with no information. And try using the command-line "ldapsearch" tool. That may have better debugging for LDAP connections. The mods-available/ldap file has detailed instructions on how to use the FreeRADIUS configuration items as part of the "ldapsearch" command-line options. If ldapsearch doesn't work, then there's no reason to do tests with FreeRADIUS. Get ldapsearch working. Then once that works, transfer the configuration to the mods-available/ldap file The problems with LDAP are typically things like incorrect account name/password, bad client certificate, missing CA cert, etc. But if the only error message is "can't connect", then it's impossible to know what's the real cause of the error. Alan DeKok.
root@FreeRadius:~# LDAPTLS_CERT={/etc/freeradius/3.0/certs/ldap-client.crt} LDAPTLS_KEY={/etc/freeradius/3.0/certs/ldap-client.key} ldapsearch -H ldaps://ldap.google.com:636 -b dc={foundationacademy},dc={net} '(main={admin@foundationacademy.net})' -d8 TLS: opening `{/etc/freeradius/3.0/certs/ldap-client.key}' failed: No such file or directory TLS: could not use private key file `{/etc/freeradius/3.0/certs/ldap-client.key}`. ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) I believe this would be the issue, however, I don’t know why it wouldn’t find it. I’ve triple checked and the file is in there and named exactly the same as the command. On Oct 1, 2021, 11:23 AM -0400, Alan DeKok <aland@deployingradius.com>, wrote:
On Oct 1, 2021, at 10:22 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
I think I found it in wireshark am I looking for something specific? I see the data go out and hits the server and comes back but nothing stands out as an error.
What data is going out? What is coming back? It's all LDAP magic. I can't really help with no information.
And try using the command-line "ldapsearch" tool. That may have better debugging for LDAP connections. The mods-available/ldap file has detailed instructions on how to use the FreeRADIUS configuration items as part of the "ldapsearch" command-line options.
If ldapsearch doesn't work, then there's no reason to do tests with FreeRADIUS. Get ldapsearch working. Then once that works, transfer the configuration to the mods-available/ldap file
The problems with LDAP are typically things like incorrect account name/password, bad client certificate, missing CA cert, etc. But if the only error message is "can't connect", then it's impossible to know what's the real cause of the error.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 1, 2021, at 11:35 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
root@FreeRadius:~# LDAPTLS_CERT={/etc/freeradius/3.0/certs/ldap-client.crt} LDAPTLS_KEY={/etc/freeradius/3.0/certs/ldap-client.key} ldapsearch -H ldaps://ldap.google.com:636 -b dc={foundationacademy},dc={net} '(main={admin@foundationacademy.net})' -d8 TLS: opening `{/etc/freeradius/3.0/certs/ldap-client.key}' failed: No such file or directory TLS: could not use private key file `{/etc/freeradius/3.0/certs/ldap-client.key}`.
Why are you putting {} around everything? LDAPTLS_CERT is a filename. There's no need to add {} everywhere. Just use this, without the {} mangling: LDAPTLS_CERT=/etc/freeradius/3.0/certs/ldap-client.crt LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key ldapsearch -H ldaps://ldap.google.com:636 -b dc=foundationacademy,dc=net '(main=admin@foundationacademy.net)' -d8
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
I believe this would be the issue, however, I don’t know why it wouldn’t find it. I’ve triple checked and the file is in there and named exactly the same as the command.
There is no file named "{/etc/...}" Alan DeKok.
Here is the WireShark information, even after running the LDAPsearch command correctly it still returns the same result. TLS: can't connect: (unknown error code). ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: (unknown error code) No. Time Source Destination Protocol Length Info 831 5.008131431 127.0.0.1 127.0.0.53 DNS 88 Standard query 0x20a3 A ldap.google.com OPT Frame 831: 88 bytes on wire (704 bits), 88 bytes captured (704 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.53 User Datagram Protocol, Src Port: 46092, Dst Port: 53 Domain Name System (query) No. Time Source Destination Protocol Length Info 832 5.008145831 127.0.0.1 127.0.0.53 DNS 88 Standard query 0x049f AAAA ldap.google.com OPT Frame 832: 88 bytes on wire (704 bits), 88 bytes captured (704 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.53 User Datagram Protocol, Src Port: 46092, Dst Port: 53 Domain Name System (query) No. Time Source Destination Protocol Length Info 833 5.008286031 127.0.0.53 127.0.0.1 DNS 104 Standard query response 0x20a3 A ldap.google.com A 216.239.32.58 OPT Frame 833: 104 bytes on wire (832 bits), 104 bytes captured (832 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 127.0.0.53, Dst: 127.0.0.1 User Datagram Protocol, Src Port: 53, Dst Port: 46092 Domain Name System (response) No. Time Source Destination Protocol Length Info 834 5.008330430 127.0.0.53 127.0.0.1 DNS 116 Standard query response 0x049f AAAA ldap.google.com AAAA 2001:4860:4802:32::3a OPT Frame 834: 116 bytes on wire (928 bits), 116 bytes captured (928 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 127.0.0.53, Dst: 127.0.0.1 User Datagram Protocol, Src Port: 53, Dst Port: 46092 Domain Name System (response) No. Time Source Destination Protocol Length Info 835 5.008455330 172.16.11.235 216.239.32.58 TCP 76 35438 → 636 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=794117890 TSecr=0 WS=128 Frame 835: 76 bytes on wire (608 bits), 76 bytes captured (608 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 0, Len: 0 No. Time Source Destination Protocol Length Info 836 5.011327514 fe80::1ce7:6229:56d2:b253 ff02::fb MDNS 238 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT Frame 836: 238 bytes on wire (1904 bits), 238 bytes captured (1904 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 6, Src: fe80::1ce7:6229:56d2:b253, Dst: ff02::fb User Datagram Protocol, Src Port: 5353, Dst Port: 5353 Multicast Domain Name System (response) No. Time Source Destination Protocol Length Info 837 5.011340214 172.16.11.141 224.0.0.251 MDNS 218 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT Frame 837: 218 bytes on wire (1744 bits), 218 bytes captured (1744 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.141, Dst: 224.0.0.251 User Datagram Protocol, Src Port: 5353, Dst Port: 5353 Multicast Domain Name System (response) No. Time Source Destination Protocol Length Info 838 5.018532576 172.16.11.131 224.0.0.251 MDNS 218 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT Frame 838: 218 bytes on wire (1744 bits), 218 bytes captured (1744 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.131, Dst: 224.0.0.251 User Datagram Protocol, Src Port: 5353, Dst Port: 5353 Multicast Domain Name System (response) No. Time Source Destination Protocol Length Info 839 5.019156173 fe80::10dd:d8db:56bf:b639 ff02::fb MDNS 238 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT Frame 839: 238 bytes on wire (1904 bits), 238 bytes captured (1904 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 6, Src: fe80::10dd:d8db:56bf:b639, Dst: ff02::fb User Datagram Protocol, Src Port: 5353, Dst Port: 5353 Multicast Domain Name System (response) No. Time Source Destination Protocol Length Info 840 5.020119168 216.239.32.58 172.16.11.235 TCP 76 636 → 35438 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1430 SACK_PERM=1 TSval=4220711475 TSecr=794117890 WS=256 Frame 840: 76 bytes on wire (608 bits), 76 bytes captured (608 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235 Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 0, Ack: 1, Len: 0 No. Time Source Destination Protocol Length Info 841 5.020143667 172.16.11.235 216.239.32.58 TCP 68 35438 → 636 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=794117902 TSecr=4220711475 Frame 841: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 1, Ack: 1, Len: 0 No. Time Source Destination Protocol Length Info 842 5.020381866 172.16.11.235 216.239.32.58 TLSv1.3 409 Client Hello Frame 842: 409 bytes on wire (3272 bits), 409 bytes captured (3272 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 1, Ack: 1, Len: 341 Transport Layer Security No. Time Source Destination Protocol Length Info 843 5.032219203 216.239.32.58 172.16.11.235 TCP 68 636 → 35438 [ACK] Seq=1 Ack=342 Win=66816 Len=0 TSval=4220711487 TSecr=794117902 Frame 843: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235 Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1, Ack: 342, Len: 0 No. Time Source Destination Protocol Length Info 844 5.033541496 216.239.32.58 172.16.11.235 TLSv1.3 1453 Server Hello, Change Cipher Spec, Application Data Frame 844: 1453 bytes on wire (11624 bits), 1453 bytes captured (11624 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235 Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1, Ack: 342, Len: 1385 Transport Layer Security No. Time Source Destination Protocol Length Info 845 5.033547196 172.16.11.235 216.239.32.58 TCP 68 35438 → 636 [ACK] Seq=342 Ack=1386 Win=64128 Len=0 TSval=794117915 TSecr=4220711488 Frame 845: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 342, Ack: 1386, Len: 0 No. Time Source Destination Protocol Length Info 846 5.033689995 172.16.11.235 216.239.32.58 TLSv1.3 74 Change Cipher Spec Frame 846: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 342, Ack: 1386, Len: 6 Transport Layer Security No. Time Source Destination Protocol Length Info 847 5.033889994 172.16.11.235 216.239.32.58 TLSv1.3 98 Application Data Frame 847: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 348, Ack: 1386, Len: 30 Transport Layer Security No. Time Source Destination Protocol Length Info 848 5.033995794 172.16.11.235 216.239.32.58 TLSv1.3 142 Application Data Frame 848: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 378, Ack: 1386, Len: 74 Transport Layer Security No. Time Source Destination Protocol Length Info 849 5.045626632 216.239.32.58 172.16.11.235 TCP 68 636 → 35438 [ACK] Seq=1386 Ack=453 Win=66816 Len=0 TSval=4220711500 TSecr=794117916 Frame 849: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235 Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1386, Ack: 453, Len: 0 No. Time Source Destination Protocol Length Info 850 5.062517642 216.239.32.58 172.16.11.235 TCP 68 636 → 35438 [FIN, ACK] Seq=1386 Ack=453 Win=66816 Len=0 TSval=4220711517 TSecr=794117916 Frame 850: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235 Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1386, Ack: 453, Len: 0 No. Time Source Destination Protocol Length Info 851 5.062536242 172.16.11.235 216.239.32.58 TCP 68 35438 → 636 [ACK] Seq=453 Ack=1387 Win=64128 Len=0 TSval=794117944 TSecr=4220711517 Frame 851: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0 Linux cooked capture Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58 Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 453, Ack: 1387, Len: 0 On Oct 1, 2021, 11:41 AM -0400, Alan DeKok <aland@deployingradius.com>, wrote:
On Oct 1, 2021, at 11:35 AM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
root@FreeRadius:~# LDAPTLS_CERT={/etc/freeradius/3.0/certs/ldap-client.crt} LDAPTLS_KEY={/etc/freeradius/3.0/certs/ldap-client.key} ldapsearch -H ldaps://ldap.google.com:636 -b dc={foundationacademy},dc={net} '(main={admin@foundationacademy.net})' -d8 TLS: opening `{/etc/freeradius/3.0/certs/ldap-client.key}' failed: No such file or directory TLS: could not use private key file `{/etc/freeradius/3.0/certs/ldap-client.key}`.
Why are you putting {} around everything?
LDAPTLS_CERT is a filename. There's no need to add {} everywhere. Just use this, without the {} mangling:
LDAPTLS_CERT=/etc/freeradius/3.0/certs/ldap-client.crt LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key ldapsearch -H ldaps://ldap.google.com:636 -b dc=foundationacademy,dc=net '(main=admin@foundationacademy.net)' -d8
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
I believe this would be the issue, however, I don’t know why it wouldn’t find it. I’ve triple checked and the file is in there and named exactly the same as the command.
There is no file named "{/etc/...}"
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 1, 2021, at 1:06 PM, Benjamin Diehl <benjamin.diehl@foundationacademy.net> wrote:
Here is the WireShark information, even after running the LDAPsearch command correctly it still returns the same result.
Then either the google LDAP servers are down, or you're passing the wrong information to ldapsearch. Either way, this isn't a FreeRADIUS issue. Once you can get ldapsearch to work, then just use the same configuration for FreeRADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Benjamin Diehl