Hmm, I don't get any TLS TRACE messages in my debug. Do we have the same debug tls settings?
ldap_debug = 0xFFFF
ldap_debug = 0x0001
ldap_debug = 0x0028
start_tls = no
tls_cacertfile = /usr/local/etc/openldap/cacertder.pem
tls_cacertdir = /usr/local/etc/openldap/demoCA
#tls_mode = no
| "Tarun Bhushan"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/22/2004 05:30 PM
|
|
Steve
Have a look at the following trace extract (for a successful rlm_ldap
LDAPS connection to AD):
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to somedc.somecompany.com:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=lookup,ou=something,dc=somecompany,dc=com/password
to somedc.somecompany.com:636
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP somedc.somecompany.com:636
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 10.1.1.3:636
ldap_connect_timeout: fd: 6 tm: 5 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=rootcadc
.somecompany.com, issuer:
/[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=rootcadc
.somecompany.com
TLS certificate verification: depth: 0, err: 0, subject:
/[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=somedc.s
omecompany.com, issuer:
/[EMAIL PROTECTED]/C=xx/ST=xx/L=xx/O=xx/OU=xx/CN=rootcadc
.somecompany.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
The TLS setup involves verification of the root certificate and the
server cert (the depth 1 and depth 0 above). This is not seen in your
trace and is probably not being done at all. Permissions? Check the
permissions on your root CA cert, the directory hierarchy it is in,
check the ldap.conf file permissions and its directory hierarchy.
If you look at the current CVS rlm_ldap source, you can see that you can
set the tls_cacertfile, tls_cacertdir and other options in radiusd.conf
as well. You could try that and thus eliminate permissions/config of
openldap/ldap.conf altogether. I'm afraid you will have to work through
this the hard way - trial and error, eliminating possibilities one by
one.
Tarun
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 23 March 2004 11:00 AM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
OK I got it going here too, just some login syntax issues with the
ldabrowser. Now I can login with ssl there but am still getting errors
with freeradius radtest. On a side note radtest is now working with
identical radiusd.conf without ssl. To roll this out I need SSL to
work. Here's Debug:
Thanks again for all your help!!
rad_recv: Access-Request packet from host 127.0.0.1:49066, id=128,
length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(SamAccountName=test)'
radius_xlat: 'dc=ci,dc=bend,dc=or,dc=us'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:636, authentication 0
rlm_ldap: setting TLS mode to 1
ldap_err2string
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: bind as
cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us/freerad1us to
cityhalldc1.ci.bend.or.us:636
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP cityhalldc1.ci.bend.or.us:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 192.168.19.40:636
ldap_connect_timeout: fd: 7 tm: 5 async: 0
ldap_ndelay_on: 7
ldap_is_sock_ready: 7
ldap_ndelay_off: 7
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 10 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: cityhalldc1.ci.bend.or.us port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Mar 22 15:55:54 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next failed.
rlm_ldap: ldap_result()
ldap_err2string
rlm_ldap: cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us bind to
cityhalldc1.ci.bend.or.us:636 failed: Can't contact LDAP server
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap: (re)connection attempt failed
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 128 to 127.0.0.1:49066
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 128 with timestamp 405f7d0a
Nothing to do. Sleeping until we see a request.
Here's ldap.conf:
[snip]
# Active Directory SSL options
ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
tls_checkpeer no
# CA certificates for server certificate verification
TLS_CACERT /usr/local/ssl/certs/cacertder.pem
[snip]
here's radiusd.conf:
[snip]
ldap {
server = "cityhalldc1.ci.bend.or.us"
port = 636
identity =
"cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us"
password = freerad1us
basedn = "dc=ci,dc=bend,dc=or,dc=us"
#filter = "(cn=%u)"
#filter = "(sAMAccountName=%u)"
filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
#filter =
"(&(SamAccountName=%{Stripped-User-Name:-%{User-Name}}
)(memberOf=cn=RemoteUser,cn=Users,dc=ci,dc=bend,dc=or,dc=us))"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
#tls_mode = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 10
#groupname_attribute = cn
#groupmembership_filter =
"(&(objectClass=Group)(member=%{Ldap-U
serDn}))"
timeout = 10
timelimit = 10
net_timeout = 5
ldap_debug = 0xFFFF
ldap_debug = 0x0001
compare_check_items = yes
access_attr_used_for_allow = no
}
[snip]
"Tarun Bhushan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/22/2004 02:26 PM Please respond to
[EMAIL PROTECTED]
To<[EMAIL PROTECTED]>
cc
SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD
Steve
What you need is the Windows root CA cert that you placed on to the
FreeRadius box. Use the same PEM file as input on the box you are
executing the LDAP/Browser/Editor (LBE) from - this is the
c:\temp\somedc.ca.pem file I refer to in the documentation below. I used
LBE from a Windows box with the Sun Java run time installed - works just
fine.
Tarun
NOTICE
This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
