Steve
Looks like the LDAPS connection from non-Windows-native clients is not working
properly. From a Windows workstation (not on the AD machine) first try LDP.EXE
(Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP
server and see if this works. This shows if LDAPS is working from a Windows Native
point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to
access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA
cert (use the same PEM file as used before - see the documentation below). If you can
connect now, this will provide an indication that connection from "non-Windows-native"
clients works with LDAPS.
Once that works, you can then go on from there.
Regards
Tarun
===================== Doc - is a sample session ============================
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 15 entries
thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
baltimorecodesigningca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
thawtepersonalbasicca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
gtecybertrustglobalca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
verisignclass3ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
baltimorecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
verisignclass1ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
gtecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
gtecybertrust5ca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
verisignclass2ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca
-file c:\temp\somedc.ca.pem -keystore "C:\Program
Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password: changeit
Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
MD5: something
SHA1: something
Trust this certificate? [no]: yes
Certificate was added to keystore
[Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore
"C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 6 entries
1049851423488, 9/04/2003, trustedCertEntry,
Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72
1042686583627, 16/01/2003, trustedCertEntry,
Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D
1047532540747, 13/03/2003, trustedCertEntry,
Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0
1042609942072, 15/01/2003, trustedCertEntry,
Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14
1046156863186, 25/02/2003, trustedCertEntry,
Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A
1042179593031, 10/01/2003, trustedCertEntry,
Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91
C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca
-file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password: changeit
Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
MD5: something
SHA1: something
Trust this certificate? [no]: yes
Certificate was added to keystore
[Saving C:\Tools\ldapbrowser\lbecacerts]
============================ End Doc ==================================
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Sunday, 21 March 2004 12:28 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
OK I got that problem fixed on the windows side. Now I am getting an immediate
access-reject here is the debug:
<snip>
NOTICE
This e-mail and any attachments are confidential and may contain copyright material of
Macquarie Bank or third parties. If you are not the intended recipient of this email
you should not read, print, re-transmit, store or act in reliance on this e-mail or
any attachments, and should destroy all copies of them. Macquarie Bank does not
guarantee the integrity of any emails or any attached files. The views or opinions
expressed are the author's own and may not reflect the views or opinions of Macquarie
Bank.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
