Ability to disable SSL certificate checking for LDAPS (636)?

Alan DeKok aland at deployingradius.com
Thu Apr 25 18:43:52 UTC 2024 

On Apr 25, 2024, at 2:17 PM, Chris Wopat <me at falz.net> wrote:
> We're rebuilding some radius servers from Centos 7 to Ubuntu 22, due
> to the Centos 8 debacle.
> 
> Both are 3.0.x. We ported our config over, which uses LDAPS:// on 636
> on a Microsoft Windows 2022 AD server. We do not want to use TLS on
> 389.

  Many other things have changed between CentOS7 and Ubuntu 22.  The most important being OpenSSL.  CentOS7 installs OpenSSL 1.0 by default, which is very very old.  Ubuntu 22 installs a much newer version.

  Newer versions of OpenSSL do much more stringent certificate checks.

> Something seems different behaviourally between the servers, the new
> Ubuntu server (FreeRADIUS 3.0.26) appears to be attempting to validate
> the certificate much more heavily.

  Yes.  That's OpenSSL.

> This must be an AD thing, but we get this stuff about "DomainDnsZones"
> and "ForestDnsZones" when we attempt to authenticate, and it hence
> fails. The bind is successful and omitted below:

  DomainDnsZones and ForestDnsZones are all Active Directory things.

> ========================================
> 
> TLS: hostname (ForestDnsZones.ad.MYDOMAIN.net) does not match common
> name in certificate (ad.MYDOMAIN.net).
> TLS: can't connect: (unknown error code).
> Unable to chase referral
> "ldaps://ForestDnsZones.ad.MYDOMAIN.net/DC=ForestDnsZones,DC=ad,DC=MYDOMAIN,DC=net"
> (-1: Can't contact LDAP server)
> 
> TLS: hostname (DomainDnsZones.ad.MYDOMAIN.net) does not match common
> name in certificate (ad.MYDOMAIN.net).

  That should be fixed.  The TLS certificate is wrong.

  Either the referral should be to ad.MYDOMAIN.net, or the TLS certificate should contain the same name as the referring hostname: DomainDnsZones.ad.MYDOMAIN.net

  i.e. this isn't a FreeRADIUS issue.  The TLS configuration on Active Directory is wrong.


> Seeing if any options exist outside of regenerating/re-issueing /
> re-installing this cerficate, adding "DomainDnsZones" and
> "ForestDnsZones" to it?
> 
> I can't find any docs for this, but is there any type of "don't
> validate" flag? I've set chase_referrals to no, and it still won't
> work (but it doesn't give the above error).

  There's no option in the LDAP module to disable certificate checks.  That's generally a bad idea. :(

  Alan DeKok.

More information about the Freeradius-Users mailing list