Ldap searches don't seem to honour connect_timeout
Franks Andy (IT Technical Architecture Manager)
Andy.Franks at sath.nhs.uk
Wed May 11 15:29:05 CEST 2016
Hmm, so it looks like it might be using the correct libraries now, as the ldap debug string now works, for example here where I removed the self-signed CA for the self-signed cert for ldaps:
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
rlm_ldap (ldap1): Bind with CN=LDAPQuery_RADIUS,OU=NonLockableUsers,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk to ldaps://sath.nhs.uk:636 failed: Can't contact LDAP server
rlm_ldap (ldap1): Opening connection failed (0)
It didn't used to spit out any debugging with the GNU tls library as far as I can remember.
Getting past that though, it still stalls when the host is dead :
rlm_ldap (ldap1): Initialising connection pool
pool {
..
connect_timeout = 2.000000
..
}
It still takes a couple of minutes:
Wed May 11 14:23:29 2016 : Info: rlm_ldap (ldap1): Opening additional connection (0), 1 of 10 pending slots used
Wed May 11 14:23:29 2016 : Debug: rlm_ldap (ldap1): Connecting to ldaps://sath-ad1wk8.sath.nhs.uk:636
Wed May 11 14:23:29 2016 : Debug: rlm_ldap (ldap1): New libldap handle 0x209a550
Wed May 11 14:25:36 2016 : Error: rlm_ldap (ldap1): Bind with CN=LDAPQuery_RADIUS,OU=NonLockableUsers,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk to ldaps://sath.nhs.uk:636 failed: Can't contact LDAP server
Wed May 11 14:25:36 2016 : Debug: rlm_ldap: Closing libldap handle 0x209a550
Wed May 11 14:25:36 2016 : Error: rlm_ldap (ldap1): Opening connection failed (0)
Wed May 11 14:25:36 2016 : Debug: (0) modsingle[authorize]: returned from ldap1 (ldap) for request 0
Not sure what else to try!
Thanks
Andy
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (IT Technical Architecture Manager)
Sent: 11 May 2016 12:46
To: 'FreeRadius users mailing list'
Subject: RE: Ldap searches don't seem to honour connect_timeout
Hi,
Does this look better? Just thought I'd confirm before I went ahead and installed it all.. No mentioned of gnutls and it's got libssl instead, which belongs to libssl1.0.0, the description being
Description-en: SSL shared libraries
libssl and libcrypto shared libraries needed by programs like
apache-ssl, telnet-ssl and openssh.
It is part of the OpenSSL implementation of SSL.
Ldd output:
/home/andy/freeradius-server/build/lib/local/.libs# ldd rlm_ldap.so
linux-vdso.so.1 => (0x00007fff1dfec000)
libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x00007fb516981000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb5165b9000)
liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x00007fb5163a9000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fb51618f000)
libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fb515f74000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fb515d15000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fb515939000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb516df7000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb515735000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fb51551b000)
Thanks again all.
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: 10 May 2016 23:52
To: FreeRadius users mailing list
Subject: Re: Ldap searches don't seem to honour connect_timeout
Hi,
> I followed part of that, can't profess to be an expert in library interaction and such, sorry.
> I am not sure really what to do next. Most of the libraries I got from standard installs off the ubuntu repos, are we talking fairly significant compilation of other stuff do you think?
remove the openldap2-dev package
grab the latest openldap source from their page (or mirror) , ./configure, make, make install (it'll all go into /usr/local/ )
then redo the freeradius configure stuff..... should pick up the local openldap dev stuff.
ensure tht the local openldap library is known (output of ldconfig -v shows it....may need to add the /usr/local/lib as first path in /etc/ld.so.conf
make ; make install - when you do the ldd stuff against rlm_ldap.so it should show openssl linkage instead
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list