OK I got it, I just needed to set up a hash link for my CA cert. Thanks again for all the help!!!
| Steve OBrien <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/25/2004 09:03 AM
|
|
OK Tarun I have rebuilt my system and am getting closer. I at least get some SSL stuff in there any ideas:
rad_recv: Access-Request packet from host 127.0.0.1:33157, id=172, length=56
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat: '(SamAccountName=test)'
radius_xlat: 'dc=ci,dc=bend,dc=or,dc=us'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us/freerad1us to cityhalldc1.ci.bend.or.us:636
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP cityhalldc1.ci.bend.or.us:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 192.168.19.40:636
ldap_connect_timeout: fd: 7 tm: 5 async: 0
ldap_ndelay_on: 7
ldap_is_sock_ready: 7
ldap_ndelay_off: 7
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=cityhalldc1.ci.bend.or.us, issuer: /[EMAIL PROTECTED]/C=US/ST=OR/L=Bend/O=City of Bend/CN=City of Bend
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
rlm_ldap: cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us bind to cityhalldc1.ci.bend.or.us:636 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
| "Tarun Bhushan"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/23/2004 03:16 PM
|
|
Steve
You only need one of these:
ldap_debug = 0xFFFF
ldap_debug = 0x0001
ldap_debug = 0x0028
The 0xFFFF covers all the others. I have no other special TLS debug set
- I just set it to 0x0001 normally, and 0xFFFF when more detail is
needed, but TLS debug is available on either, IIRC.
Also, only one of the other two is required:
tls_cacertfile = /usr/local/etc/openldap/cacertder.pem
tls_cacertdir = /usr/local/etc/openldap/demoCA
The above are conflicting as the cert file is not in the demoCA
directory indicated.
Tarun
-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 24 March 2004 2:56 AM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Hmm, I don't get any TLS TRACE messages in my debug. Do we have the
same debug tls settings?
ldap_debug = 0xFFFF
ldap_debug = 0x0001
ldap_debug = 0x0028
start_tls = no
tls_cacertfile = /usr/local/etc/openldap/cacertder.pem
tls_cacertdir = /usr/local/etc/openldap/demoCA
#tls_mode = no
NOTICE
This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
