FreeRadius LDAP connection to Google Workspce
Benjamin Diehl
benjamin.diehl at foundationacademy.net
Fri Oct 1 19:06:23 CEST 2021
Here is the WireShark information, even after running the LDAPsearch command correctly it still returns the same result.
TLS: can't connect: (unknown error code).
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
No. Time Source Destination Protocol Length Info
831 5.008131431 127.0.0.1 127.0.0.53 DNS 88 Standard query 0x20a3 A ldap.google.com OPT
Frame 831: 88 bytes on wire (704 bits), 88 bytes captured (704 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.53
User Datagram Protocol, Src Port: 46092, Dst Port: 53
Domain Name System (query)
No. Time Source Destination Protocol Length Info
832 5.008145831 127.0.0.1 127.0.0.53 DNS 88 Standard query 0x049f AAAA ldap.google.com OPT
Frame 832: 88 bytes on wire (704 bits), 88 bytes captured (704 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.53
User Datagram Protocol, Src Port: 46092, Dst Port: 53
Domain Name System (query)
No. Time Source Destination Protocol Length Info
833 5.008286031 127.0.0.53 127.0.0.1 DNS 104 Standard query response 0x20a3 A ldap.google.com A 216.239.32.58 OPT
Frame 833: 104 bytes on wire (832 bits), 104 bytes captured (832 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 127.0.0.53, Dst: 127.0.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 46092
Domain Name System (response)
No. Time Source Destination Protocol Length Info
834 5.008330430 127.0.0.53 127.0.0.1 DNS 116 Standard query response 0x049f AAAA ldap.google.com AAAA 2001:4860:4802:32::3a OPT
Frame 834: 116 bytes on wire (928 bits), 116 bytes captured (928 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 127.0.0.53, Dst: 127.0.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 46092
Domain Name System (response)
No. Time Source Destination Protocol Length Info
835 5.008455330 172.16.11.235 216.239.32.58 TCP 76 35438 → 636 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=794117890 TSecr=0 WS=128
Frame 835: 76 bytes on wire (608 bits), 76 bytes captured (608 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
836 5.011327514 fe80::1ce7:6229:56d2:b253 ff02::fb MDNS 238 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT
Frame 836: 238 bytes on wire (1904 bits), 238 bytes captured (1904 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 6, Src: fe80::1ce7:6229:56d2:b253, Dst: ff02::fb
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Multicast Domain Name System (response)
No. Time Source Destination Protocol Length Info
837 5.011340214 172.16.11.141 224.0.0.251 MDNS 218 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT
Frame 837: 218 bytes on wire (1744 bits), 218 bytes captured (1744 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.141, Dst: 224.0.0.251
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Multicast Domain Name System (response)
No. Time Source Destination Protocol Length Info
838 5.018532576 172.16.11.131 224.0.0.251 MDNS 218 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT
Frame 838: 218 bytes on wire (1744 bits), 218 bytes captured (1744 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.131, Dst: 224.0.0.251
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Multicast Domain Name System (response)
No. Time Source Destination Protocol Length Info
839 5.019156173 fe80::10dd:d8db:56bf:b639 ff02::fb MDNS 238 Standard query response 0x0000 PTR FAN-MBP-Tech Office-01._companion-link._tcp.local TXT
Frame 839: 238 bytes on wire (1904 bits), 238 bytes captured (1904 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 6, Src: fe80::10dd:d8db:56bf:b639, Dst: ff02::fb
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Multicast Domain Name System (response)
No. Time Source Destination Protocol Length Info
840 5.020119168 216.239.32.58 172.16.11.235 TCP 76 636 → 35438 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1430 SACK_PERM=1 TSval=4220711475 TSecr=794117890 WS=256
Frame 840: 76 bytes on wire (608 bits), 76 bytes captured (608 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235
Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
841 5.020143667 172.16.11.235 216.239.32.58 TCP 68 35438 → 636 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=794117902 TSecr=4220711475
Frame 841: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
842 5.020381866 172.16.11.235 216.239.32.58 TLSv1.3 409 Client Hello
Frame 842: 409 bytes on wire (3272 bits), 409 bytes captured (3272 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 1, Ack: 1, Len: 341
Transport Layer Security
No. Time Source Destination Protocol Length Info
843 5.032219203 216.239.32.58 172.16.11.235 TCP 68 636 → 35438 [ACK] Seq=1 Ack=342 Win=66816 Len=0 TSval=4220711487 TSecr=794117902
Frame 843: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235
Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1, Ack: 342, Len: 0
No. Time Source Destination Protocol Length Info
844 5.033541496 216.239.32.58 172.16.11.235 TLSv1.3 1453 Server Hello, Change Cipher Spec, Application Data
Frame 844: 1453 bytes on wire (11624 bits), 1453 bytes captured (11624 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235
Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1, Ack: 342, Len: 1385
Transport Layer Security
No. Time Source Destination Protocol Length Info
845 5.033547196 172.16.11.235 216.239.32.58 TCP 68 35438 → 636 [ACK] Seq=342 Ack=1386 Win=64128 Len=0 TSval=794117915 TSecr=4220711488
Frame 845: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 342, Ack: 1386, Len: 0
No. Time Source Destination Protocol Length Info
846 5.033689995 172.16.11.235 216.239.32.58 TLSv1.3 74 Change Cipher Spec
Frame 846: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 342, Ack: 1386, Len: 6
Transport Layer Security
No. Time Source Destination Protocol Length Info
847 5.033889994 172.16.11.235 216.239.32.58 TLSv1.3 98 Application Data
Frame 847: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 348, Ack: 1386, Len: 30
Transport Layer Security
No. Time Source Destination Protocol Length Info
848 5.033995794 172.16.11.235 216.239.32.58 TLSv1.3 142 Application Data
Frame 848: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 378, Ack: 1386, Len: 74
Transport Layer Security
No. Time Source Destination Protocol Length Info
849 5.045626632 216.239.32.58 172.16.11.235 TCP 68 636 → 35438 [ACK] Seq=1386 Ack=453 Win=66816 Len=0 TSval=4220711500 TSecr=794117916
Frame 849: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235
Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1386, Ack: 453, Len: 0
No. Time Source Destination Protocol Length Info
850 5.062517642 216.239.32.58 172.16.11.235 TCP 68 636 → 35438 [FIN, ACK] Seq=1386 Ack=453 Win=66816 Len=0 TSval=4220711517 TSecr=794117916
Frame 850: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 216.239.32.58, Dst: 172.16.11.235
Transmission Control Protocol, Src Port: 636, Dst Port: 35438, Seq: 1386, Ack: 453, Len: 0
No. Time Source Destination Protocol Length Info
851 5.062536242 172.16.11.235 216.239.32.58 TCP 68 35438 → 636 [ACK] Seq=453 Ack=1387 Win=64128 Len=0 TSval=794117944 TSecr=4220711517
Frame 851: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface any, id 0
Linux cooked capture
Internet Protocol Version 4, Src: 172.16.11.235, Dst: 216.239.32.58
Transmission Control Protocol, Src Port: 35438, Dst Port: 636, Seq: 453, Ack: 1387, Len: 0
On Oct 1, 2021, 11:41 AM -0400, Alan DeKok <aland at deployingradius.com>, wrote:
>
>
> > On Oct 1, 2021, at 11:35 AM, Benjamin Diehl <benjamin.diehl at foundationacademy.net> wrote:
> >
> > root at FreeRadius:~# LDAPTLS_CERT={/etc/freeradius/3.0/certs/ldap-client.crt} LDAPTLS_KEY={/etc/freeradius/3.0/certs/ldap-client.key} ldapsearch -H ldaps://ldap.google.com:636 -b dc={foundationacademy},dc={net} '(main={admin at foundationacademy.net})' -d8
> > TLS: opening `{/etc/freeradius/3.0/certs/ldap-client.key}' failed: No such file or directory
> > TLS: could not use private key file `{/etc/freeradius/3.0/certs/ldap-client.key}`.
>
> Why are you putting {} around everything?
>
> LDAPTLS_CERT is a filename. There's no need to add {} everywhere. Just use this, without the {} mangling:
>
> LDAPTLS_CERT=/etc/freeradius/3.0/certs/ldap-client.crt LDAPTLS_KEY=/etc/freeradius/3.0/certs/ldap-client.key ldapsearch -H ldaps://ldap.google.com:636 -b dc=foundationacademy,dc=net '(main=admin at foundationacademy.net)' -d8
>
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> >
> > I believe this would be the issue, however, I don’t know why it wouldn’t find it. I’ve triple checked and the file is in there and named exactly the same as the command.
>
> There is no file named "{/etc/...}"
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list