If you're using Port 636, you probably need to set TLS off. I'm not sure starting TLS over SSL works. Even if it does, it's kind of redundant.
Owen
--On Monday, June 23, 2003 10:49 AM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote:
Hiya,
Finally I've installed openSSL, but I think I'm forgetting something, because I can authenticate via LDAP over SSL.
I've installed openSSL (openssl-0.9.7b). I've installed Freeradius (freeradius-0.8.1) as:
tar -zxvf freeradius.tar.gz cd freeradius-0.8.1 ./configure --prefix=/opt/freeradius make make install
Then I configured radiusd.conf (see file below).
First with port=389 (LDAP without SSL):
rad_recv: Access-Request packet from host 127.0.0.1:32805, id=90, length=60 User-Name = "99990010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '99990010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 99990010 radius_xlat: '(uid=99990010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=LCX, with filter (uid=99990010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 99990010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "99990010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:389, authentication 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:389 rlm_ldap: waiting for bind result ... rlm_ldap: user 99990010 authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group authtype returns ok Sending Access-Accept of id 90 to 127.0.0.1:32805
It works great. I can authenticate without any problem.
Now I'll try with LDAP over SSL, as you can see I haven't installed any selfsigned o CA certificate, but I can't see any message about it.
Now port=636:
rad_recv: Access-Request packet from host 127.0.0.1:32806, id=100, length=60 User-Name = "99990010" User-Password = "hola123" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now '99990010' rad_lowerpair: User-Password now 'hola123' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for 99990010 radius_xlat: '(uid=99990010)' radius_xlat: 'o=LCX' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as / to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=LCX, with filter (uid=99990010) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 99990010 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "99990010" with password "hola123" rlm_ldap: user DN: CN=Usuari Proves10,O=LCX rlm_ldap: (re)connect to albinoni.upc.es:636, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as CN=Usuari Proves10,O=LCX/hola123 to albinoni.upc.es:636 rlm_ldap: waiting for bind result ... modcall[authenticate]: module "ldap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0
I think RADIUS can connect to LDAP server over SSL, because it can do the first filter, but qhen it tries to authenticate it is missing something...
More help!!!!! :-)
______________________________________ Paco Orozco ([EMAIL PROTECTED]) Divisi� de Telecomunicacions UPCNet Edifici V�rtex - Pl. Eusebi G�ell, 6 Tel�fon centraleta: 93.40.11600
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
