LDAPS problem while migrating from 2 to 3

Olivier Olivier.Nicole at cs.ait.ac.th
Fri Jun 30 06:42:22 CEST 2017 

Arran Cudbard-Bell <a.cudbardb at freeradius.org> writes:

> [1:multipart/signed Hide]
>
>
> [1/1:text/plain Hide]
>
>
>> On 29 Jun 2017, at 02:30, Olivier <Olivier.Nicole at cs.ait.ac.th> wrote:
>> 
>> Hi,
>> 
>> I have a working environment based on FreeRadius 2.2 and OpenLDAP 2.4.
>> It binds to the LDAP server on ldaps://ldap.cs.ait.ac.th/
>> 
>> I am trying to upgrade to FreeRadius (3.0.14) and if I can bind to
>> ldap://..., I cannot bind to ldaps://...
>> 
>> Thu Jun 29 13:12:38 2017 : Debug:   # Instantiating module "ldap_firewall" from file /usr/local/etc/raddb/mods-enabled/ldap
>> Thu Jun 29 13:12:38 2017 : Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20441
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): Couldn't find configuration for accounting, will return NOOP for calls from this section
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): Couldn't find configuration for post-auth, will return NOOP for calls from this section
>> Thu Jun 29 13:12:38 2017 : Debug: LDAP server string: ldaps://ldap.cs.ait.ac.th:636
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): Using local pool section
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): No pool reference found for config item "ldap_firewall.pool"
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): Initialising connection pool
>> ...
>> Thu Jun 29 13:12:38 2017 : Info: rlm_ldap (ldap_firewall): Opening additional connection (0), 1 of 32 pending slots used
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): Connecting to ldaps://ldap.cs.ait.ac.th:636
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): New libldap handle 0x28e5c1e0
>> Thu Jun 29 13:12:38 2017 : Error: rlm_ldap (ldap_firewall): Bind with (anonymous) to ldaps://ldap.cs.ait.ac.th:636 failed: Can't contact LDAP server
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap: Closing libldap handle 0x28e5c1e0
>> Thu Jun 29 13:12:38 2017 : Error: rlm_ldap (ldap_firewall): Opening connection failed (0)
>> Thu Jun 29 13:12:38 2017 : Debug: rlm_ldap (ldap_firewall): Removing connection pool
>> Thu Jun 29 13:12:38 2017 : Error: /usr/local/etc/raddb/mods-enabled/ldap[1]: Instantiation failed for module "ldap_firewall"
>> 
>> What could I be missing?
>
> Set port with the port config item.

No need, tcpdum confirms that I am talking to port 636.

Enabling LDAP debugging (ldap_debug = 0x8887) I get the following when
lanuching FreeRadius:

ldap_create
ldap_url_parse_ext(ldaps://ldap.cs.ait.ac.th:636)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.cs.ait.ac.th:636
ldap_new_socket: 5
ldap_prepare_socket: 5
ldap_connect_to_host: Trying 192.41.170.6:636
ldap_pvt_connect: fd: 5 tm: 1 async: 0
ldap_ndelay_on: 5
attempting to connect: 
connect errno: 36
ldap_int_poll: fd: 5 tm: 1
ldap_is_sock_ready: 5
ldap_ndelay_off: 5
ldap_pvt_connect: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
ldap_err2string

I cheked manually that my certificate is correct and accessible:

$ openssl s_client -showcerts -connect ldap.cs.ait.ac.th:636
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ldap.cs.ait.ac.th
verify return:1
[ lot of stuff omitted ]
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 3D5E60FB690ED809E2871DF3199328DAB8569FE2FC19D91D6FB3BE9EB77C5282
    Session-ID-ctx: 
    Master-Key: F08532386D2C27BB0014AF37D1C368262212A76D77129F0ACD8E5EDC74C658BBFE662B16DD146A8BFFE51A89920D1E16
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 15 d8 7d fa 4e c9 ab f7-95 d6 61 24 5f 45 2b 04   ..}.N.....a$_E+.
    0010 - f5 91 5e 6a 51 37 ac cc-35 a1 c8 c7 e5 1a c0 65   ..^jQ7..5......e
    0020 - 73 f1 ea e7 01 c7 b5 cc-c0 54 be 0b b5 36 59 7b   s........T...6Y{
    0030 - 53 dc f2 68 4e a8 fa d4-84 3a 6f b7 ea 9e 53 17   S..hN....:o...S.
    0040 - 30 ec 8d 7a 3e 6d 9b 4a-66 d3 28 12 de e2 e8 08   0..z>m.Jf.(.....
    0050 - 21 44 9d f5 f9 7a 47 28-7a dd 3b 44 7f 54 ba 07   !D...zG(z.;D.T..
    0060 - f9 80 d3 2f 93 a0 44 63-ef 7f fc f8 96 c9 01 f0   .../..Dc........
    0070 - 5b 47 e4 7a c8 00 6e 08-17 30 a5 70 83 73 b1 8c   [G.z..n..0.p.s..
    0080 - 0b 4c 30 9c bb 95 fc 20-36 04 23 07 55 5c 34 22   .L0.... 6.#.U\4"
    0090 - 37 a3 92 04 9b c9 59 19-0f 3c d4 9c 5a 0b 1d 67   7.....Y..<..Z..g

    Start Time: 1498797590
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

So what else can I try?

TIA

Olivier

More information about the Freeradius-Users mailing list