Ldap searches don't seem to honour connect_timeout

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Wed May 11 15:29:05 CEST 2016 

Hmm, so it looks like it might be using the correct libraries now, as the ldap debug string now works, for example here where I removed the self-signed CA for the self-signed cert for ldaps:

TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
rlm_ldap (ldap1): Bind with CN=LDAPQuery_RADIUS,OU=NonLockableUsers,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk to ldaps://sath.nhs.uk:636 failed: Can't contact LDAP server
rlm_ldap (ldap1): Opening connection failed (0)

It didn't used to spit out any debugging with the GNU tls library as far as I can remember.

Getting past that though, it still stalls when the host is dead :

rlm_ldap (ldap1): Initialising connection pool
   pool {
        ..
        connect_timeout = 2.000000
        ..
   }

It still takes a couple of minutes:

Wed May 11 14:23:29 2016 : Info: rlm_ldap (ldap1): Opening additional connection (0), 1 of 10 pending slots used
Wed May 11 14:23:29 2016 : Debug: rlm_ldap (ldap1): Connecting to ldaps://sath-ad1wk8.sath.nhs.uk:636
Wed May 11 14:23:29 2016 : Debug: rlm_ldap (ldap1): New libldap handle 0x209a550
Wed May 11 14:25:36 2016 : Error: rlm_ldap (ldap1): Bind with CN=LDAPQuery_RADIUS,OU=NonLockableUsers,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk to ldaps://sath.nhs.uk:636 failed: Can't contact LDAP server
Wed May 11 14:25:36 2016 : Debug: rlm_ldap: Closing libldap handle 0x209a550
Wed May 11 14:25:36 2016 : Error: rlm_ldap (ldap1): Opening connection failed (0)
Wed May 11 14:25:36 2016 : Debug: (0)               modsingle[authorize]: returned from ldap1 (ldap) for request 0

Not sure what else to try!
Thanks
Andy

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (IT Technical Architecture Manager)
Sent: 11 May 2016 12:46
To: 'FreeRadius users mailing list'
Subject: RE: Ldap searches don't seem to honour connect_timeout

Hi,
  Does this look better? Just thought I'd confirm before I went ahead and installed it all.. No mentioned of gnutls and it's got libssl instead, which belongs to libssl1.0.0, the description being

Description-en: SSL shared libraries
 libssl and libcrypto shared libraries needed by programs like
 apache-ssl, telnet-ssl and openssh.
 It is part of the OpenSSL implementation of SSL.

      Ldd output:

        /home/andy/freeradius-server/build/lib/local/.libs# ldd rlm_ldap.so
        linux-vdso.so.1 =>  (0x00007fff1dfec000)
        libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x00007fb516981000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb5165b9000)
        liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x00007fb5163a9000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fb51618f000)
        libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fb515f74000)
        libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fb515d15000)
        libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fb515939000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fb516df7000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb515735000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fb51551b000)

Thanks again all.

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: 10 May 2016 23:52
To: FreeRadius users mailing list
Subject: Re: Ldap searches don't seem to honour connect_timeout

Hi,

>   I followed part of that, can't profess to be an expert in library interaction and such, sorry.
> I am not sure really what to do next. Most of the libraries I got from standard installs off the ubuntu repos, are we talking fairly significant compilation of other stuff do you think?

remove the openldap2-dev package

grab the latest openldap source from their page (or mirror) , ./configure, make, make install (it'll all go into /usr/local/ )

then redo the freeradius configure stuff..... should pick up the local openldap dev stuff.

ensure tht the local openldap library is known  (output of ldconfig -v shows it....may need to add the /usr/local/lib as first path in /etc/ld.so.conf 

make ; make install    - when you do the ldd stuff against rlm_ldap.so it should show openssl linkage instead

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list