Hi Pat, 3269 is Global Catalog over TLS, changing that to 636 will change the behaviour as you need a BaseDN and won't be able to authenticate users of trusted domains any more, so don't do that. Instead raise the Radiator log level or do a packet capture and look at it in wireshark to see what happens, my guess is the TLS handshake.
The domain controllers might not send the whole certificate chain with all intermediate certs or you don't have the root CA in the trusted CA file /etc/ssl/certs/ca.pem. Best regards, Alex ________________________________ Von: radiator <[email protected]> im Auftrag von Patrik Forsberg <[email protected]> Gesendet: Montag, 18. Jänner 2021 08:57 An: [email protected] <[email protected]> Betreff: Re: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers Hello, Try using port 389 for non-ssl or 636 for ssl - even if the server is DC atm. --- Best Regards, Patrik From: radiator <[email protected]> On Behalf Of Hirayama, Pat Sent: den 16 januari 2021 00:56 To: [email protected] Subject: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers Greetings, I am currently trying to migrate an existing Radiator 4.12.1 running on CentOS 6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running into an issue where Radiator 4.25 is unable to connect via LDAP to my domain controllers. The log shows (DC names changed): 00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to DC1.domain.tld port 3269 00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open LDAP connection to DC1.domain.tld port 3269. Backing off for 10 seconds. 00000000 Fri Jan 15 15:26:35 2021 124845: INFO: AuthLDAP2 Connecting to DC2.domain.tld port 3269 00000000 Fri Jan 15 15:26:35 2021 125576: ERR: AuthLDAP2 Could not open LDAP connection to DC2.domain.tld port 3269. Backing off for 10 seconds. 00000000 Fri Jan 15 15:26:35 2021 125720: INFO: AuthLDAP2 Connecting to DC3.domain.tld port 3269 00000000 Fri Jan 15 15:26:35 2021 126451: ERR: AuthLDAP2 Could not open LDAP connection to DC3.domain.tld port 3269. Backing off for 10 seconds. My new <AuthBy LDAP2> stanza (again anonymized) <Handler Client-Identifier=webvpn-test-servers> RejectHasReason #AuthLog webvpn-authlog # Handle test users <AuthBy LDAP2> Host DC1.domain.tld DC2.domain.tld DC3.domain.tld SSLVerify none include /etc/radiator/ssl.txt UseSSL Port 3269 AuthDN XXXXXXXXXXXXXXXX AuthPassword XXXXXXXXX CachePasswords FailureBackoffTime 10 #BaseDN XXXXXXXXXXXX UsernameAttr sAMAccountName Debug 255 ServerChecksPassword #HoldServerConnection SearchFilter (&(%0=%1)(|(memberOf=XXX)) # removing filter for privacy -- besides, we aren't getting that far </AuthBy> </Handler> /etc/radiator/ssl.txt (anonymized): SSLCAClientCert /etc/ssl/certs/server.pem SSLCAClientKey /etc/ssl/private/server.key SSLCAFile /etc/ssl/certs/ca.pem Aside from the lines that have been commented out above -- I have tried modifying SSLCiphers from default mostly because someone mentioned that they were running under a newer version of OpenSSL that protected against weak Diffie Hellman keys (to prevent LogJam attack). That didn't seem to help. I have Trace running at 5 and Debug at 255. Any help would be appreciated. Thanks! -p -- Pat Hirayama Systems Engineer | CIT / Systems Engineering | 206.667.4856 | [email protected]<mailto:[email protected]> | Fred Hutch | Cures Start Here
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
