On 02/06/2011 09:20 PM, James wrote: > I'm having some issues getting Radiator to bounce off of an LDAP > server with STARTTLS. Note that authentication works fine if I disable > both SSL and STARTTLS against my OpenDS LDAP server.
The config below does client-authentiated TLS handshake. That is, both the client and server exchange certificates. If you only want to verify the server certificate, remove SSLCAClientKey and SSLCAClientCert from your config. A common configuration is for the client to verify server certificate against CA certificate in SSLCAFile and then authenticate to the LDAP server with AuthDN and AuthPassword. Please note that the SSLCA* settings are only for brining up the TLS/SSL connection. They have nothing to do with authenticating Radiator to the LDAP server. > Here's the snippet of configuration used for <AuthBy LDAP2>: > > <AuthBy LDAP2> > Identifier ldapAuth > Host server.example.com > BaseDN <baseDN> > UsernameAttr uid > HoldServerConnection > UseTLS > SSLCAClientCert certificates/client.cert.pem > SSLCAClientKey certificates/client.key.pem Remove these two lines above, unless you really want to do client-authenticated TLS handshake. > SSLCAFile certificates/ca.cert.pem > Version 3 > </AuthBy> > > The client certificates (client.cert.pem and client.key.pem) were > generated by a CA I runrun, and the ca.cert.pem is actually a > self-signed certificate that I obtained by doing an "openssl s_client > -connect server.example.com:636". (the STARTTLS and SSL certificates > are identical on the LDAP server) > > When I enable UseTLS connectivity fails with the following error messages: > > > Sun Feb 6 10:14:17 2011: DEBUG: Handling with Radius::AuthLDAP2: ldapAuth > Sun Feb 6 10:14:17 2011: INFO: Connecting to server.example.com:389 > Sun Feb 6 10:14:17 2011: ERR: StartTLS failed: SSL connect attempt > failed because of handshake > problemserror:00000000:lib(0):func(0):reason(0) > Sun Feb 6 10:14:17 2011: ERR: Could not open LDAP connection to > server.example.com:389. Backing off for 600 seconds. > Sun Feb 6 10:14:17 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User > database access error > > > I did a bit of digging -- seems it's possible to disable certificate > checking in Net::LDAP (although clearly not recommended). I modified > the Ldap.pm file and changed the SSLVerify var from required to none; > the exact same error still occurs. This doesn't make sense to me. The > error should likely disappear if I've set "verify" to "none," no? > > My goal is ultimately to change SSLCAFile to the self-signed > certificate (gleaned from an "openssl s_client -connect"). Any > thoughts on how to go about fixing this? > > Thanks! > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
