OK I got it going here too, just some login syntax issues with the ldabrowser. Now I can login with ssl there but am still getting errors with freeradius radtest. On a side note radtest is now working with identical radiusd.conf without ssl. To roll this out I need SSL to work. Here's Debug:
Thanks again for all your help!!
rad_recv: Access-Request packet from host 127.0.0.1:49066, id=128, length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(SamAccountName=test)'
radius_xlat: 'dc=ci,dc=bend,dc=or,dc=us'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:636, authentication 0
rlm_ldap: setting TLS mode to 1
ldap_err2string
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: bind as cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us/freerad1us to cityhalldc1.ci.bend.or.us:636
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP cityhalldc1.ci.bend.or.us:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 192.168.19.40:636
ldap_connect_timeout: fd: 7 tm: 5 async: 0
ldap_ndelay_on: 7
ldap_is_sock_ready: 7
ldap_ndelay_off: 7
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 10 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: cityhalldc1.ci.bend.or.us port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Mar 22 15:55:54 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next failed.
rlm_ldap: ldap_result()
ldap_err2string
rlm_ldap: cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us bind to cityhalldc1.ci.bend.or.us:636 failed: Can't contact LDAP server
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap: (re)connection attempt failed
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 128 to 127.0.0.1:49066
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 128 with timestamp 405f7d0a
Nothing to do. Sleeping until we see a request.
Here's ldap.conf:
[snip]
# Active Directory SSL options
ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
tls_checkpeer no
# CA certificates for server certificate verification
TLS_CACERT /usr/local/ssl/certs/cacertder.pem
[snip]
here's radiusd.conf:
[snip]
ldap {
server = "cityhalldc1.ci.bend.or.us"
port = 636
identity = "cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us"
password = freerad1us
basedn = "dc=ci,dc=bend,dc=or,dc=us"
#filter = "(cn=%u)"
#filter = "(sAMAccountName=%u)"
filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(&(SamAccountName=%{Stripped-User-Name:-%{User-Name}}
)(memberOf=cn=RemoteUser,cn=Users,dc=ci,dc=bend,dc=or,dc=us))"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
#tls_mode = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 10
#groupname_attribute = cn
#groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-U
serDn}))"
timeout = 10
timelimit = 10
net_timeout = 5
ldap_debug = 0xFFFF
ldap_debug = 0x0001
compare_check_items = yes
access_attr_used_for_allow = no
}
[snip]
| "Tarun Bhushan"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/22/2004 02:26 PM
|
|
Steve
What you need is the Windows root CA cert that you placed on to the
FreeRadius box. Use the same PEM file as input on the box you are
executing the LDAP/Browser/Editor (LBE) from - this is the
c:\temp\somedc.ca.pem file I refer to in the documentation below. I used
LBE from a Windows box with the Sun Java run time installed - works just
fine.
Tarun
