LDAP / TLS error 5875 (FreeRADIUS integration)
Gallwapa
I am attempting to integrate FreeRADIUS with eDir, but have hit a
snag. TLS won't connect. The error that I am receiving on the
DSTRACE +LDAP is a -5875, which appears to be a certificate error. I
dont really understand this, because I've done the following:
Exported the CA.Security self signed certificate in .b64 format as per
http://www.novell.com/documentation/edir_radius/index.html
And putting it in the FreeRADIUS configuration as specified. I'm
stumped. I have a PHP site that is doing an ldaps://ldap.org
Gallwapa
Gallwapa
Gallwapa
> Greetings,
>
> I am attempting to integrate FreeRADIUS with eDir, but have hit a
> snag. TLS won't connect. The error that I am receiving on the
> DSTRACE +LDAP is a -5875, which appears to be a certificate error. I
> dont really understand this, because I've done the following:
>
>
> And putting it in the FreeRADIUS configuration as specified. I'm
> stumped. I have a PHP site that is doing an ldaps://ldap.org actions
> just fine.
Bah, dupe :-(
Edward van der Maas
Export the certificate which is configured on the LDAP Server object
(TLS/SSL tab) and use that. Its not the trusted root
--
Cheers,
Edward
Edward van der Maas
duplicate
--
Cheers,
Edward
Gallwapa
Sorry for the dupes! Google groups freaked out and there was an
unfortunate use of the back button...:|
That being said, I did extract the self signed certificate from the
server I'm attempting to query. In this case, 152.157.72.162. I have
tried the certificateDNS, IP of that server - of the server that holds
the CA(psdinf-2), of the CA Object itself - the Org CA certificate.
I'm going mad, I swear it. I did get a little progress earlier: I
turned the cert check from demand to never. This got further and made
the LDAP query, but the server complained about the password being
incorrect (I was typing it in wrong, "test" and it was coming across
on the radius debug screen as testrad/aest ...very weird).
So - just to make sure I'm not a complete moron - here is the process
I used
Log into imanager
Click modify object
select the server certificate I am doing the TLS query to (in my case,
152.157.72.162 or psdinf-2 as it were) that is highlighted in the LDAP
server group SSL page (certificateDNS)
Click on the certificates tab. Click self signed certificate.
Check the self signed certificate box and click export
select "SSL certificateDNS" Uncheck export private key. Select B64
format
click next. Save the file and copy it to the radius server.
Thanks,
Preston
Edward van der Maas
> Click on the certificates tab. Click self signed certificate.
> Check the self signed certificate box and click export
> select "SSL certificateDNS" Uncheck export private key. Select B64
> format
> click next. Save the file and copy it to the radius server.
properties of SSL CertificateDNS | certificates tab | Public key
certificate | click export | go through the export wizard.
--
Cheers,
Edward
Gallwapa
+_th...@myrealbox.com > wrote:
> Gallwapawrote:
Ive just reexported it using consoleone as described: Still get the
same darn error :(
Posting radiusd -X below... (and yes I realize this is only loosely an
eDir issue...say the word and I'll go hit up the FreeRADIUS
people...but so often people don't quite know what you're talking
about when you say 'edirectory' ;( )
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "152.157.72.162"
ldap: port = 636
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=radius-admin,o=psd"
ldap: tls_mode = no
ldap: start_tls = yes
ldap: tls_cacertfile = "/etc/raddb/certs/psdinf-2.b64"
ldap: tls_cacertdir = "/etc/raddb/certs/"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "demand"
ldap: password = "auth!me!plz"
ldap: basedn = "o=psd"
ldap: filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "nspmPassword"
ldap: access_attr = "dialupAccess"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=
%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-
UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/
ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-
Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-
Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-
Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-
Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-
Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-
Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-
Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-
Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-
AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-
AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-
AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x800d03f0
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/
detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 152.157.160.9:32772, id=244,
length=59
User-Name = "testrad"
User-Password = "xxxxxx"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "testrad", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testrad
radius_xlat: '(cn=testrad)'
radius_xlat: 'o=psd'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 152.157.72.162:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/psdinf-2.b64
rlm_ldap: setting TLS CACert Directory to /etc/raddb/certs/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 0
modcall: leaving group authorize (returns fail) for request 0
Finished request 0
Going to the next request
Edward van der Maas
Can you connect to your server using an LDAP browser over SSL ?
--
Cheers,
Edward
Gallwapa
Hmm. I tried Softerra LDAP Browser, but I read that it too needed the
certificate and I didn't investigate further on how to get it into the
store that it uses.
I can, however, perform ldaps queries via php/apache to authenticate
users. Am I mistaken in thinking that they use similar (LDAP over
SSL) methods?
a...@novell.com
Hash: SHA1
They should be similar as long as you specified 'ldaps' in the
ldap_connect() call. If not then the connection probably isn't using
SSL. A LAN trace will verify one way or the other if nothing else.
Don't use Softerra... too hard to make it use SSL (the last time I tried
it anyway.... had to import the certs manually and other nonsense).
Google for 'ldap browser' (w/out quotes) and the first hit is a free
Java-based browser that pulls the certificates dynamically when you
check the 'SSL' checkbox.
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGvHX+7eGRNwWOK9IRAvTxAJ4u/da+SBTKUy6l4t+NdQWpNMdXkQCglsbN
cNHolSYVWjwOlQfHEZ7PBFY=
=VrK3
-----END PGP SIGNATURE-----
Gallwapa
>
> iD8DBQFGvHX+7eGRNwWOK9IRAvTxAJ4u/da+SBTKUy6l4t+NdQWpNMdXkQCglsbN
> cNHolSYVWjwOlQfHEZ7PBFY=
> =VrK3
> -----END PGP SIGNATURE-----
The java client successfully connects with SSL. I'll do a LAN trace
next Wed. when I'm back in the office. Thanks for the help so far :)!
Edward van der Maas
> The java client successfully connects with SSL. I'll do a LAN trace
> next Wed. when I'm back in the office. Thanks for the help so far :)!
Let us know how you get on
--
Cheers,
Edward
Gallwapa
+_th...@myrealbox.com > wrote:
> Gallwapawrote:
I have done the LAN trace. I see the following
RAD -> LDAP SYN
RAD <- LDAP SYN ACK
RAD -> LDAP ACK
RAD -> LDAP FIN ACK
RAD <- LDAP ACK
RAD -> LDAP FIN PSD ACK
RAD <- LDAP ACK
On the DSTRACE Screen I see the following:
New TLS connection 0x88d35460 from 152.157.160.9:38398, monitor =
0x256, index =
3
Monitor 0x256 initiating TLS handshake on connection
0x88d35460
14:42:00
DoTLSHandshake on connection
0x88d35460
TLS accept failure 5 on connection 0x88d35460, setting err = -5875.
Error stack:
TLS handshake failed on connection 0x88d35460, err =
-5875
Server closing connection 0x88d35460, socket error =
-5875
Connection 0x88d35460
closed
Note: I have also tried copying an LDAP auth page to a Windows/PHP
server from our Netware/PHP server (that works). The Windows server
returned "Unknown CA" until I made a file at C:\openldap\sysconf
\ldap.conf and put TLS_CACERT "C:\rootcert.der" (the exported cert.
After doing this, the Windows machine now has the *exact* same error
as the RADIUS server, and the LAN trace looks identical.
Edward van der Maas
> Note: I have also tried copying an LDAP auth page to a Windows/PHP
> server from our Netware/PHP server (that works). The Windows server
> returned "Unknown CA" until I made a file at C:\openldap\sysconf
> \ldap.conf and put TLS_CACERT "C:\rootcert.der" (the exported cert.
>
> After doing this, the Windows machine now has the exact same error
> as the RADIUS server, and the LAN trace looks identical.
Hmm...I'm getting a bit clueless on this one. Maybe someone else has an
idea because I certainly don't anymore :( Sorry
--
Cheers,
Edward
Gallwapa
No worries- thanks for your help so far. I think I'll kick it over to
the OpenLDAP lists, maybe they'll have an idea. *Cross fingers*. I
just gave my notice at this job and I'd really like to wrap this
project up before I leave. :)
Gallwapa
Interestingly enough, on the very same server I can use the command
openssl s_client -connect ldap:636 and it connects just fine. This is
so frustrating :(
Edward van der Maas
> Interestingly enough, on the very same server I can use the command
> openssl s_client -connect ldap:636 and it connects just fine. This is
> so frustrating :(
Welcome in the world of IT ;)
--
Cheers,
Edward
Gallwapa
+_th...@myrealbox.com > wrote:
> Gallwapawrote:
Okay - Novell helped me through this by simply turning off Start_TLS,
turning TLS_REQCert to "NEVER" and TLS_MODE = On. Also commenting out
Post-auth reject LDAP (all stuff that the tutorial I was using told me
to do, fancy that).
At any rate, now our issue is with setting the dialupAccess attribute
to 1 on over 1500 users. I've checked and apparently MassUser, my
favorite tool of choice isn't working for this feature yet and he is
using the iChain radius, so he can't test the same environment. This
leaves us with few options. The RADIUS plugins for iManager don't let
you select multiple users, so I'm thinknig some sort of ldif file or a
direct LDAP query? Any recommendations? Thanks.
a...@novell.com
Hash: SHA1
If it's all users or if you can export the DNs (or get them some other
way) of the users who will have this attribute then an LDIF would make
this trivial.
dn: cn=user0,o=oraganization,dc=domain
changetype: modify
add: dialupAccess
dialupAccess: 1
dn: cn=user1,o=oraganization,dc=domain
changetype: modify
add: dialupAccess
dialupAccess: 1
rinse and repeat....
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGyx9L7eGRNwWOK9IRAmcxAJ0VtatfiYIjPwqQt7bXu1rHyfXSbACgop7w
IGCgkL1hNVIJlTkMKdKWp4g=
=gRcX
-----END PGP SIGNATURE-----
Gallwapa
>
> iD8DBQFGyx9L7eGRNwWOK9IRAmcxAJ0VtatfiYIjPwqQt7bXu1rHyfXSbACgop7w
> IGCgkL1hNVIJlTkMKdKWp4g=
> =gRcX
> -----END PGP SIGNATURE-----
Thanks, but not quite THAT easy. That ldif example is a start
though. Unfortunately, we have (much to the *cough* network
administrators *cough* dismay) been forced to create literally
thousands of "generic" accounts mixed in with the general populous. I
think I have an idea on how to filter them out though...so I'll give
it a whirl. Thanks !
Edward van der Maas
> Thanks, but not quite THAT easy. That ldif example is a start
> though. Unfortunately, we have (much to the cough network
> administrators cough dismay) been forced to create literally
> thousands of "generic" accounts mixed in with the general populous. I
> think I have an idea on how to filter them out though...so I'll give
> it a whirl. Thanks !
If those generic accounts are having a proper naming standard you could
export all users and use something like textpad and regex to filter
them out.
--
Cheers,
Edward
Gallwapa
Well, today was my final day. We got everyone ldif'd that was
supposed to be set up for dialupAccess. Interesting learning
experience to say the least :-).
What we ended up doing was an export of all user objects using
MassUser, exporting the CN and "internet e-mail address" - none of our
generic accounts have groupwise :). Simple excel sort, and poof. We
were ready to find and replace for ldif. A little massaging to pump
it through ICE, modifying our user templates so all future users get
the attribute and there it was.
It'll probably be awhile before I post here again...(I'm going to work
in an all microsoft shop, scary!)...thanks for all the help and
advice! You guys rock!
Best regards,
Preston
Edward van der Maas
> What we ended up doing was an export of all user objects using
> MassUser, exporting the CN and "internet e-mail address" - none of our
> generic accounts have groupwise :). Simple excel sort, and poof. We
> were ready to find and replace for ldif. A little massaging to pump
> it through ICE, modifying our user templates so all future users get
> the attribute and there it was.
Nice work, thanks for the feedback.
> It'll probably be awhile before I post here again...(I'm going to work
> in an all microsoft shop, scary!)...thanks for all the help and
> advice!
The MS forums have lots of volunteers as well :)
>You guys rock!
That is always nice to hear :)
--
Cheers,
Edward