Thanks for the information.

The stdout/console logs yielded no additional information from Perl’s LDAP 
library, still only "ERR: Could not open LDAP connection to *redacted*:636. 
Backing off for 60 seconds" so I decided to look into SSL issues as the next 
logical step.

It turns out that the server on which we are running Radiator is using a newer 
version of OpenSSL that enforces against using weak DH keys (to prevent Logjam 
attack).  Using "openssl s_client -showcerts" to connect and show the server 
SSL certificates, I could see openssl reporting that the certificate on the 
LDAP server was using a certificate with a “too small” DH key:

140309439825560:error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh 
key too small:s3_clnt.c:3615:

I resolved this by disallowing DH ciphers sent by the client in the radius 
config:
        SSLCiphers DEFAULT:!EXPORT:!LOW:!DH

Radiator is now able to connect (and bind) to the LDAP server over SSL.

—Jennifer




> On May 11, 2016, at 9:42 AM, Tuure Vartiainen <varti...@open.com.au> wrote:
> 
> Hello,
> 
>> On 11 May 2016, at 01:49, Jennifer Mehl <jennifer.m...@ucsb.edu> wrote:
>> 
>> I’m working on setting up a new RADIUS client/handler, and am having trouble 
>> diagnosing why connections from Radiator to an LDAP server are failing.
>> 
>> Using the ldapsearch command from the same system, using the same 
>> AuthDN/password yields a successful result.
>> 
>> I’m wondering if there is an error being kicked off somewhere from the LDAP 
>> or SSL Perl modules that I can’t see.  Or is there an open/broken connection 
>> to the LDAP server being cached somewhere that needs a “reset?”
>> 
>> I’ve turned on Trace 5 in radius.cfg and “Debug 255” in the AuthByLDAP2 
>> clause, but not seeing a lot in the logs about the reason for the failure.
>> 
> 
> Perl’s LDAP library’s debug output, which is enabled with “Debug 255”,
> can only be seen on a console when running Radiator on a foreground.
> 
> E.g.
> 
> $ perl radiusd -config /etc/radiator/radius.cfg -trace 4 -log_stdout 
> -foreground
> 
> 
> BR
> --
> Tuure Vartiainen <varti...@open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> 
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to