Redundant ldap's bug?

Paulo Cabrita pjc at ual.pt
Wed Apr 5 16:27:28 CEST 2006 

Hi Alan.

I made a little more debug on this matter and I discovered that the 
error is that FR doesn't like the CA:

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: 
/C=PT/ST=Lisbon/L=Lisbon/O=UAL/OU=CI/CN=checkpoint2/emailAddress=ci at ual.pt, 
issuer: 
/C=PT/ST=Lisbon/L=Lisbon/O=UAL/OU=CI/CN=checkpoint2/emailAddress=ci at ual.pt
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.

If I use only one LDAP server (the same that gave an error) I don't have 
any problem with the TLS stuff. The problem is with the combination of 
the two self signed certificate (one for each LDAP server, of course).

So, isolated the master and the slave work perfectly but in combination 
with TLS, only one works...

I don't know what to try more because I believe I have everything well 
configured. :-(

Here's the most important of my debug:
(without ldap_debug = 0xFFFF)
...
 ldap: server = "checkpoint2"
 ldap: port = 636
 ldap: net_timeout = 60
 ldap: timeout = 60
 ldap: timelimit = 60
 ldap: identity = ""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem"
 ldap: tls_keyfile = "/usr/local/radius/etc/raddb/1x/checkpoint2.pem"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
...
Module: Instantiated ldap (ldapmaster)
 ldap: server = "checkpoint"
 ldap: port = 636
 ldap: net_timeout = 60
 ldap: timeout = 60
 ldap: timelimit = 60
 ldap: identity = ""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem"
 ldap: tls_keyfile = "/usr/local/radius/etc/raddb/1x/checkpoint.pem"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
...
Module: Instantiated ldap (ldapslave)
...
radius_xlat:  '(mail=ei20020280 at students.ual.pt)'
radius_xlat:  'ou=users,dc=ual,dc=pt'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to checkpoint:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to 
/usr/local/radius/etc/raddb/1x/checkpoint.pem
rlm_ldap: setting TLS Cert File to 
/usr/local/radius/etc/raddb/1x/checkpoint.pem
rlm_ldap: setting TLS Key File to 
/usr/local/radius/etc/raddb/1x/checkpoint.pem
rlm_ldap: bind as / to checkpoint:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
...
radius_xlat:  '(mail=ei20010469 at students.ual.pt)'
radius_xlat:  'ou=users,dc=ual,dc=pt'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to checkpoint2:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to 
/usr/local/radius/etc/raddb/1x/checkpoint2.pem
rlm_ldap: setting TLS Cert File to 
/usr/local/radius/etc/raddb/1x/checkpoint2.pem
rlm_ldap: setting TLS Key File to 
/usr/local/radius/etc/raddb/1x/checkpoint2.pem
rlm_ldap: bind as / to checkpoint2:636
rlm_ldap:  bind to checkpoint2:636 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldapmaster" returns fail for request 5
...



Alan DeKok wrote:

>Paulo Cabrita <pjc at ual.pt> wrote:
>  
>
>>I have freeradius 1.1.0 working and I want to have a redundant/load 
>>balancing mecanism but when I use TLS to secure the communication with 
>>the ldaps, FR  only works with one server (eg: ldapmaster). The log says 
>>that it cannot contact the other server (eg: ldapslave). But if I use 
>>one ldap in clear-text communication, it works perfectly, that is I have 
>>redundant load balancing with one LDAP/TLS and another LDAP/clear. Of 
>>course it's not what I want. :-)
>>    
>>
>
>  I don't see why using TLS or not would make any difference to the
>load balancing.
>
>  Could you post the errors?
>
>  Alan DeKok.
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>  
>

-- 

Atentamente,

------------------------------------
|Paulo Cabrita, Msc                |
|Director do Centro de Informática |
|da Universidade Autónoma de Lisboa|
|Tel: +351-213177635               |
|Fax: +351-213533702               |
|E-mail: pjc at ual.pt                |
------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060405/5bff3692/attachment.html>

More information about the Freeradius-Users mailing list