deactivate ldap.attrmap

Sebastian Heil s3b0 at gmx.de
Thu Jan 31 11:10:52 CET 2008 

> 
> -------- Original-Nachricht --------
> > Datum: Wed, 30 Jan 2008 09:28:31 -0500
> > Von: "Wm. Josiah Erikson" <wjerikson at hampshire.edu>
> > An: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> > Betreff: Re: deactivate ldap.attrmap
> 
> > What struck me was that you need more attributes, but maybe I missed
> them:
> > 
> > -cacertfile
> > -certfile
> > -keyfile
> > 
> >     -Josiah
> >
> 
> I also tried a configuration with these attributes, but the error was the
> same. in my config there is at the moment only the "cacertfile", which is
> needed for the check of the edirectory-server-certificate.
> In my opinion, i don't need the certfile and keyfile for eap-tls, because
> the edirectory-server doesn't check the freeradius-server-certificate. Is
> this correct?!?
> 
> Sebastian
> > 
> > Sebastian Heil wrote:
> > >> Sebastian Heil wrote:
> > >> ...
> > >>     
> > >>> i added the following lines to the ldap-section:
> > >>>       
> > >> ...
> > >>     
> > >>> rlm_ldap: could not start TLS Can't contact LDAP server
> > >>>       
> > >>   Maybe you need to check that there is an LDAP server listening on
> > that
> > >> port?
> > >>
> > >>   Alan DeKok.
> > >>
> > >>     
> > >
> > > thanks for your fast answer, alan.
> > > but i am afraid, this is not the solution... the ldap-server is
> > listening and even responding to my ldap-request. i captured the
> communication
> > between the freeradius and the edirectory with etherreal:
> > >
> > > Someone any idea about the "Encrypted Alert" in no. 14?? Thanks.
> > >
> > > ---------------------
> > > No.     Time        Source                Destination          
> Protocol
> > Info
> > >       1 0.000000    radtestclient       freeradius          RADIUS  
> > Access-Request(1) (id=74, l=58)
> > >
> > >       3 0.000749    freeradius          edirectory          TCP     
> > 56302 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=445748676 TSER=0 WS=2
> > >
> > >       5 0.012986    edirectory          freeradius          TCP     
> > ldaps > 56302 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=0
> > TSV=3386151196 TSER=445748676
> > >
> > >       6 0.013057    freeradius          edirectory          TCP     
> > 56302 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=445748679
> TSER=3386151196
> > >
> > >       7 0.013639    freeradius          edirectory          SSLv2   
> > Client Hello
> > >
> > >       8 0.021887    edirectory          freeradius          TLSv1   
> > Server Hello, 
> > >
> > >       9 0.022035    freeradius          edirectory          TCP     
> > 56302 > ldaps [ACK] Seq=143 Ack=1449 Win=8736 Len=0 TSV=445748682
> > TSER=3386151206
> > >
> > >      10 0.030390    edirectory          freeradius          TLSv1   
> > Certificate
> > >
> > >      11 0.030550    freeradius          edirectory          TCP     
> > 56302 > ldaps [ACK] Seq=143 Ack=1946 Win=11632 Len=0 TSV=445748684
> > TSER=3386151215
> > >
> > >      12 0.032263    freeradius          edirectory          TLSv1   
> > Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
> > >
> > >      13 0.048990    edirectory          freeradius          TLSv1   
> > Change Cipher Spec, Encrypted Handshake Message
> > >
> > >      14 0.049652    freeradius          edirectory          TLSv1   
> > Encrypted Alert
> > >
> > >      15 0.049923    freeradius          edirectory          TCP     
> > 56302 > ldaps [FIN, ACK] Seq=506 Ack=2005 Win=11632 Len=0 TSV=445748689
> > TSER=3386151237
> > >
> > >      17 0.057441    edirectory          freeradius          TCP     
> > ldaps > 56302 [ACK] Seq=2005 Ack=507 Win=4885 Len=0 TSV=3386151247
> > TSER=445748689
> > >
> > >      18 0.057774    edirectory          freeradius          TLSv1   
> > Encrypted Alert
> > >
> > >      19 0.057807    freeradius          edirectory          TCP     
> > 56302 > ldaps [RST] Seq=507 Len=0
> > >
> > >      20 0.057880    edirectory          freeradius          TCP     
> > ldaps > 56302 [FIN, ACK] Seq=2042 Ack=507 Win=4885 Len=0 TSV=3386151247
> > TSER=445748689
> > >
> > >      21 0.057903    freeradius          edirectory          TCP     
> > 56302 > ldaps [RST] Seq=507 Len=0


I think, i found the problem. the client starts the session with the client hello-packet. I think, the protocol of the client-hello-packet is wrong, its not tls, but sslv2. for example in sslv2 the random-number is missing.

Is there a way to change the client-hello packet to tls, not sslv2?

Thanks in advance.

Sebastian
-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

More information about the Freeradius-Users mailing list