Ldap searches don't seem to honour connect_timeout

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Wed May 11 17:31:52 CEST 2016


Just for reference, it seems ubuntu have taken a decision to use GnuTLS for tls encryption over openSSL due to licensing worries - see the top paragraph of this:
https://help.ubuntu.com/community/GnuTLS

so.. anyone seeking to compile Freeradius from scratch and using ldap will be using some bits compiled with GnuTLS intead of openSSL. For me this seems to be some lack of support for certain freeradius ldap options in the configuration, and lack of debugging options working.

Hopefully that's helpful.

Thanks
Andy

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (IT Technical Architecture Manager)
Sent: 11 May 2016 14:29
To: 'FreeRadius users mailing list'
Subject: RE: Ldap searches don't seem to honour connect_timeout

Hmm, so it looks like it might be using the correct libraries now, as the ldap debug string now works, for example here where I removed the self-signed CA for the self-signed cert for ldaps:

TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
rlm_ldap (ldap1): Bind with CN=LDAPQuery_RADIUS,OU=NonLockableUsers,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk to ldaps://sath.nhs.uk:636 failed: Can't contact LDAP server
rlm_ldap (ldap1): Opening connection failed (0)

It didn't used to spit out any debugging with the GNU tls library as far as I can remember.

Getting past that though, it still stalls when the host is dead :

rlm_ldap (ldap1): Initialising connection pool
   pool {
        ..
        connect_timeout = 2.000000
        ..
   }

It still takes a couple of minutes:

Wed May 11 14:23:29 2016 : Info: rlm_ldap (ldap1): Opening additional connection (0), 1 of 10 pending slots used
Wed May 11 14:23:29 2016 : Debug: rlm_ldap (ldap1): Connecting to ldaps://sath-ad1wk8.sath.nhs.uk:636
Wed May 11 14:23:29 2016 : Debug: rlm_ldap (ldap1): New libldap handle 0x209a550
Wed May 11 14:25:36 2016 : Error: rlm_ldap (ldap1): Bind with CN=LDAPQuery_RADIUS,OU=NonLockableUsers,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk to ldaps://sath.nhs.uk:636 failed: Can't contact LDAP server
Wed May 11 14:25:36 2016 : Debug: rlm_ldap: Closing libldap handle 0x209a550
Wed May 11 14:25:36 2016 : Error: rlm_ldap (ldap1): Opening connection failed (0)
Wed May 11 14:25:36 2016 : Debug: (0)               modsingle[authorize]: returned from ldap1 (ldap) for request 0

Not sure what else to try!
Thanks
Andy

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Franks Andy (IT Technical Architecture Manager)
Sent: 11 May 2016 12:46
To: 'FreeRadius users mailing list'
Subject: RE: Ldap searches don't seem to honour connect_timeout

Hi,
  Does this look better? Just thought I'd confirm before I went ahead and installed it all.. No mentioned of gnutls and it's got libssl instead, which belongs to libssl1.0.0, the description being

Description-en: SSL shared libraries
 libssl and libcrypto shared libraries needed by programs like
 apache-ssl, telnet-ssl and openssh.
 It is part of the OpenSSL implementation of SSL.

      Ldd output:

        /home/andy/freeradius-server/build/lib/local/.libs# ldd rlm_ldap.so
        linux-vdso.so.1 =>  (0x00007fff1dfec000)
        libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x00007fb516981000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb5165b9000)
        liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x00007fb5163a9000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fb51618f000)
        libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fb515f74000)
        libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fb515d15000)
        libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fb515939000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fb516df7000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb515735000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fb51551b000)

Thanks again all.

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: 10 May 2016 23:52
To: FreeRadius users mailing list
Subject: Re: Ldap searches don't seem to honour connect_timeout

Hi,

>   I followed part of that, can't profess to be an expert in library interaction and such, sorry.
> I am not sure really what to do next. Most of the libraries I got from standard installs off the ubuntu repos, are we talking fairly significant compilation of other stuff do you think?

remove the openldap2-dev package

grab the latest openldap source from their page (or mirror) , ./configure, make, make install (it'll all go into /usr/local/ )

then redo the freeradius configure stuff..... should pick up the local openldap dev stuff.

ensure tht the local openldap library is known  (output of ldconfig -v shows it....may need to add the /usr/local/lib as first path in /etc/ld.so.conf 

make ; make install    - when you do the ldd stuff against rlm_ldap.so it should show openssl linkage instead

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list