Re: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain controllers

[Hirayama, Pat]

Thank you, Alex & Patric.

So, I did try switching to 636 -- no difference.

Packet captures show that there is no communication between Radiator and the 
domain controllers.  On the other hand, I can run ldapsearch on the Radiator 
server using the same credentials and the search returns results -- so I'm 
concluding that I don't have a firewall issue.

If I switch UseSSL to UseTLS, there is some traffic captured, but the 
connection still fails to be established.

00000000 Tue Jan 19 16:06:23 2021 004194: INFO: AuthLDAP2 Connecting to 
xxx.domain.tld port 3269

00000000 Tue Jan 19 16:06:23 2021 007698: DEBUG: AuthLDAP2 Starting TLS to 
xxx.domain.tld  port 3269

00000000 Tue Jan 19 16:06:23 2021 050385: ERR: AuthLDAP2 StartTLS with 
xxx.domain.tld  port 3269 failed: I/O Error Connection reset by peer

00000000 Tue Jan 19 16:06:23 2021 050556: ERR: AuthLDAP2 Could not open LDAP 
connection to xxx.domain.tld  port 3269. Backing off for 9 seconds.

Logging is already at max -- that hasn't revealed anything new.

Thanks!

                        -p


--
Pat Hirayama
Systems Engineer | CIT / Systems Engineering | 206.667.4856 | 
phira...@fredhutch.org<mailto:phira...@fredhutch.org> | Fred Hutch | Cures 
Start Here

________________________________
From: radiator <radiator-boun...@lists.open.com.au> on behalf of 
alexander.hartma...@t-systems.com <alexander.hartma...@t-systems.com>
Sent: Monday, January 18, 2021 00:51
To: radiator@lists.open.com.au <radiator@lists.open.com.au>
Subject: Re: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD 
domain controllers

Hi Pat,
3269 is Global Catalog over TLS, changing that to 636 will change the behaviour 
as you need a BaseDN and won't be able to authenticate users of trusted domains 
any more, so don't do that.
Instead raise the Radiator log level or do a packet capture and look at it in 
wireshark to see what happens, my guess is the TLS handshake.

The domain controllers might not send the whole certificate chain with all 
intermediate certs or you don't have the root CA in the trusted CA file 
/etc/ssl/certs/ca.pem.

Best regards, Alex

________________________________
Von: radiator <radiator-boun...@lists.open.com.au> im Auftrag von Patrik 
Forsberg <patrik.forsb...@globalconnect.se>
Gesendet: Montag, 18. Jänner 2021 08:57
An: radiator@lists.open.com.au <radiator@lists.open.com.au>
Betreff: Re: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD 
domain controllers


Hello,



Try using port 389 for non-ssl or 636 for ssl - even if the server is DC atm.



---

Best Regards,

Patrik



From: radiator <radiator-boun...@lists.open.com.au> On Behalf Of Hirayama, Pat
Sent: den 16 januari 2021 00:56
To: radiator@lists.open.com.au
Subject: [RADIATOR] ERR: AuthLDAP2 Could not open LDAP connection to AD domain 
controllers



Greetings,



I am currently trying to migrate an existing Radiator 4.12.1 running on CentOS 
6.10 to Radiator 4.25 running on Ubuntu 20.04.1 LTS. I am running into an issue 
where Radiator 4.25 is unable to connect via LDAP to my domain controllers.  
The log shows (DC names changed):



00000000 Fri Jan 15 15:26:35 2021 089445: INFO: AuthLDAP2 Connecting to 
DC1.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 124694: ERR: AuthLDAP2 Could not open LDAP 
connection to DC1.domain.tld port 3269. Backing off for 10 seconds.

00000000 Fri Jan 15 15:26:35 2021 124845: INFO: AuthLDAP2 Connecting to 
DC2.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 125576: ERR: AuthLDAP2 Could not open LDAP 
connection to DC2.domain.tld port 3269. Backing off for 10 seconds.

00000000 Fri Jan 15 15:26:35 2021 125720: INFO: AuthLDAP2 Connecting to 
DC3.domain.tld port 3269

00000000 Fri Jan 15 15:26:35 2021 126451: ERR: AuthLDAP2 Could not open LDAP 
connection to DC3.domain.tld port 3269. Backing off for 10 seconds.



My new <AuthBy LDAP2> stanza (again anonymized)



<Handler Client-Identifier=webvpn-test-servers>

        RejectHasReason



        #AuthLog webvpn-authlog

        # Handle test users

        <AuthBy LDAP2>

                Host DC1.domain.tld DC2.domain.tld DC3.domain.tld


                SSLVerify none

                include /etc/radiator/ssl.txt

                UseSSL

                Port 3269

                AuthDN XXXXXXXXXXXXXXXX

                AuthPassword XXXXXXXXX

                CachePasswords

                FailureBackoffTime 10

                #BaseDN XXXXXXXXXXXX

                UsernameAttr sAMAccountName

                Debug 255

                ServerChecksPassword

                #HoldServerConnection

                SearchFilter (&(%0=%1)(|(memberOf=XXX))  # removing filter for 
privacy -- besides, we aren't getting that far

         </AuthBy>

</Handler>



/etc/radiator/ssl.txt (anonymized):

SSLCAClientCert /etc/ssl/certs/server.pem

SSLCAClientKey /etc/ssl/private/server.key

SSLCAFile /etc/ssl/certs/ca.pem



Aside from the lines that have been commented out above -- I have tried 
modifying SSLCiphers from default mostly because someone mentioned that they 
were running under a newer version of OpenSSL that protected against weak 
Diffie Hellman keys (to prevent LogJam attack).  That didn't seem to help.  I 
have Trace running at 5 and Debug at 255.



Any help would be appreciated.



Thanks!



                   -p



--
Pat Hirayama
Systems Engineer | CIT / Systems Engineering | 206.667.4856 | 
phira...@fredhutch.org<mailto:phira...@fredhutch.org> | Fred Hutch | Cures 
Start Here

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator