Hi Karl,
thanks for your report.
We have now made the default for SSLCAFile an empty string, as you suggested.
Thanks again for all your contributions.
Cheers.
On Thu, 4 Jul 2002 02:55, Karl Gaissmaier wrote:
> Hi Mike,
>
> got the solution for the StartTLS problem with AuthLDAP2:
>
> Karl Gaissmaier schrieb:
> > Hi Mike or Hugh,
> >
> > I'd like to use AuthLDAP2 with StartTLS. I can't find any doku
> > in the reference manual but in the code I find the parameters.
> >
> > Anyway, if I try it with:
> >
> > <Handler Client-Identifier=localhost, Called-Station-Id=DIALIN>
> > <AuthBy LDAP2>
> > Host xxx.yyy.uni-ulm.de
> > Port zzzz
> > Version 3
> > UseTLS
> > SSLVerify none
> > AuthDN
> > cn=foo,ou=bar,ou=baz,dc=uni-ulm,dc=de AuthPassword mysecret
> > NoDefault
> > BaseDN ou=foo,dc=uni-ulm,dc=de
> > Scope one
> > UsernameAttr uid
> > PasswordAttr userpassword
> > </AuthBy>
> > </Handler>
> >
> > I get the following error:
> >
> > Mon Jul 1 17:08:32 2002: DEBUG: Handling request with Handler
> > 'Client-Identifier=localhost, Called-
> > Station-Id=DIALIN'
> > Mon Jul 1 17:08:32 2002: DEBUG: Deleting session for dialin, 0.0.0.0, 0
> > Mon Jul 1 17:08:32 2002: DEBUG: Handling with Radius::AuthLDAP2:
> > Mon Jul 1 17:08:32 2002: INFO: Connecting to frago.rz.uni-ulm.de, port
> > 9999 Mon Jul 1 17:08:32 2002: DEBUG: Starting TLS
> > Mon Jul 1 17:08:32 2002: ERR: StartTLS failed: Operations error
>
> the problem is with inconsistencies between the newest versions of
> IO::Socket::SSL and net-ldap as it is already discussed in the
> perl-ldap-dev mailinglist.
>
> I downgraded to IO::Socket::SSL 0.80 and it works so far:
>
> Wed Jul 3 18:36:37 2002: DEBUG: Handling with Radius::AuthLDAP2:
> Wed Jul 3 18:36:37 2002: INFO: Connecting to foo.bar.uni-ulm.de, port xyz
> Wed Jul 3 18:36:37 2002: DEBUG: Starting TLS
> Wed Jul 3 18:36:38 2002: INFO: StartTLS negotiated with cipher mode
> DES-CBC3-SHA Wed Jul 3 18:36:38 2002: INFO: Attempting to bind with
> cn=xyzxyz,ou=baz ,ou=foo,dc=uni-ulm,dc=de, xyzxyz (server
> asdf.as.uni-ulm.de:9999)
> Wed Jul 3 18:36:38 2002: DEBUG: LDAP got result for
> cn=xyzxyz,ou=baz,dc=uni- ulm,dc=de
> Wed Jul 3 18:36:38 2002: DEBUG: LDAP got userPassword: {CRYPT}.........
> Wed Jul 3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 looks for match with
> xyzxyz Wed Jul 3 18:36:38 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Wed Jul 3 18:36:38 2002: DEBUG: Access accepted for xyzxyz
>
> the relevant radiator config file snippet is (no other things must be
> configured dealing with certs and keys):
>
> Version 3
> UseTLS
> SSLVerify none
> SSLCAFile
>
> I use verify=none, cause I will not check in the moment the server
> certificate. Anyway I have to set the argument SSLCAFile with an empty
> value, elsewhere the radiator crashes with the following error message:
>
> Can't call method "get_context_handle" without a package or object
> reference at /radiator/perl/lib/site_perl/5.6.1/IO/Socket/SSL.pm line 602.
>
>
> I think this could be corrected by Mike with an proper SSLCAFile empty
> default value, if the SSLVerify is "none" or better validation of the
> config input before calling the underlying modules like Net::LDAP and
> Net::LDAPS.
>
> Regards
> Charly
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
