Steve Have a look at the following trace extract (for a successful rlm_ldap LDAPS connection to AD):
rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to somedc.somecompany.com:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=lookup,ou=something,dc=somecompany,dc=com/password to somedc.somecompany.com:636 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP somedc.somecompany.com:636 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 10.1.1.3:636 ldap_connect_timeout: fd: 6 tm: 5 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=rootcadc .somecompany.com, issuer: /[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=rootcadc .somecompany.com TLS certificate verification: depth: 0, err: 0, subject: /[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=somedc.s omecompany.com, issuer: /[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=rootcadc .somecompany.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... The TLS setup involves verification of the root certificate and the server cert (the depth 1 and depth 0 above). This is not seen in your trace and is probably not being done at all. Permissions? Check the permissions on your root CA cert, the directory hierarchy it is in, check the ldap.conf file permissions and its directory hierarchy. If you look at the current CVS rlm_ldap source, you can see that you can set the tls_cacertfile, tls_cacertdir and other options in radiusd.conf as well. You could try that and thus eliminate permissions/config of openldap/ldap.conf altogether. I'm afraid you will have to work through this the hard way - trial and error, eliminating possibilities one by one. Tarun -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 March 2004 11:00 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK I got it going here too, just some login syntax issues with the ldabrowser. Now I can login with ssl there but am still getting errors with freeradius radtest. On a side note radtest is now working with identical radiusd.conf without ssl. To roll this out I need SSL to work. Here's Debug: Thanks again for all your help!! rad_recv: Access-Request packet from host 127.0.0.1:49066, id=128, length=56 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "test" with password "test" radius_xlat: '(SamAccountName=test)' radius_xlat: 'dc=ci,dc=bend,dc=or,dc=us' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:636, authentication 0 rlm_ldap: setting TLS mode to 1 ldap_err2string rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: bind as cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us/freerad1us to cityhalldc1.ci.bend.or.us:636 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP cityhalldc1.ci.bend.or.us:636 ldap_new_socket: 7 ldap_prepare_socket: 7 ldap_connect_to_host: Trying 192.168.19.40:636 ldap_connect_timeout: fd: 7 tm: 5 async: 0 ldap_ndelay_on: 7 ldap_is_sock_ready: 7 ldap_ndelay_off: 7 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 10 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: cityhalldc1.ci.bend.or.us port: 636 (default) refcnt: 2 status: Connected last used: Mon Mar 22 15:55:54 2004 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next failed. rlm_ldap: ldap_result() ldap_err2string rlm_ldap: cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us bind to cityhalldc1.ci.bend.or.us:636 failed: Can't contact LDAP server ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_send_unbind ldap_free_connection: actually freed rlm_ldap: (re)connection attempt failed ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 128 to 127.0.0.1:49066 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 128 with timestamp 405f7d0a Nothing to do. Sleeping until we see a request. Here's ldap.conf: [snip] # Active Directory SSL options ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) tls_checkpeer no # CA certificates for server certificate verification TLS_CACERT /usr/local/ssl/certs/cacertder.pem [snip] here's radiusd.conf: [snip] ldap { server = "cityhalldc1.ci.bend.or.us" port = 636 identity = "cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us" password = freerad1us basedn = "dc=ci,dc=bend,dc=or,dc=us" #filter = "(cn=%u)" #filter = "(sAMAccountName=%u)" filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" #filter = "(&(SamAccountName=%{Stripped-User-Name:-%{User-Name}} )(memberOf=cn=RemoteUser,cn=Users,dc=ci,dc=bend,dc=or,dc=us))" # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no #tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 10 #groupname_attribute = cn #groupmembership_filter = "(&(objectClass=Group)(member=%{Ldap-U serDn}))" timeout = 10 timelimit = 10 net_timeout = 5 ldap_debug = 0xFFFF ldap_debug = 0x0001 compare_check_items = yes access_attr_used_for_allow = no } [snip] "Tarun Bhushan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/22/2004 02:26 PM Please respond to [EMAIL PROTECTED] To<[EMAIL PROTECTED]> cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Steve What you need is the Windows root CA cert that you placed on to the FreeRadius box. Use the same PEM file as input on the box you are executing the LDAP/Browser/Editor (LBE) from - this is the c:\temp\somedc.ca.pem file I refer to in the documentation below. I used LBE from a Windows box with the Sun Java run time installed - works just fine. Tarun NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
