TLS/SSL to eDirectory
jp at joshmp.com
jp at joshmp.com
Fri Sep 2 04:59:29 CEST 2005
Setup:
- FreeRADIUS 1.0.4 built with edir on FreeBSD 4.11 server.
- Cisco 3005 VPN Concentrator
- LDAP database on NetWare 6.5 server
Everything works fine when not use SSL certificate and TLS. However,
when TLS is turned on, here is what I get:
-----snip-----
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
User-Name = "username"
User-Password = "password"
NAS-Port = 1028
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "10.254.1.6"
Calling-Station-Id = "69.152.48.158"
Tunnel-Client-Endpoint:0 = "69.152.48.158"
NAS-IP-Address = 10.254.1.6
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "stcrye", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for stcrye
radius_xlat: '(cn=username)'
radius_xlat: 'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 0
rlm_ldap: setting TLS CACert File to
/home/juser/trustedrootcertssl-certdns-episd1.b64
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap1" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
Discarding duplicate request from client VPN:1063 - ID: 27
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 27 with timestamp 431712ab
Nothing to do. Sleeping until we see a request.
-----snip-----
Relevent portion of radiusd.conf:
-----snip-----
ldap ldap1 {
server = "10.254.8.25"
identity = "cn=raduser,o=services"
password = secretrad
basedn = "o=services"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
#start_tls = no
start_tls = yes
tls_cacertfile = /home/juser/trustedrootcertssl-certdns-episd1.b64
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
edir_account_policy_check=no
timeout = 20
timelimit = 20
net_timeout = 20
-----snip-----
When I un-comment start_tls = no and comment out start_tls = yes and
tls_cacertfile, everything works fine.
I don't really know where to start. I have read the faq's, been up
and down the list and can't find a solution.
Thanks in advance.
Josh
More information about the Freeradius-Users
mailing list