tac_plus-> mavis-> ldaps-> Windows 2008 Active Directory
1,071 views
Skip to first unread message
Michael McConnell
Oct 19, 2011, 5:51:36 PM10/19/11
to Event-Driven Servers
Hello Marc,
First, I'd like to say 'thank you' and 'job well done' for
contributing this software to the open source community. I've been
over your documentation and I think I've got a pretty good grip on
tac_plus. I'm using tac_plus on Ubuntu 10.04 LTS in concert with a
Windows 2008 R2 Active Directory backend (via Mavis). I've gotten
everything working correctly with authentication and authorization
against my AD using the insecure ldap port 389. But my problem is
that I'd really like to use ldaps and I can't seem to get that
working.
Here's what I've done:
1) I've recompiled tac_plus to include the '--with-ssl' switch.
2) I've imported my CA cert from the Microsoft CA that I'm running. I
placed the cert in /usr/share/certificates, used 'update-ca-
certificates' to ensure that a .pem symlink was created in /etc/ssl/
certs and that it was added to 'ca-certificates.crt'.
3) I've used 'mavistest' to test connectivity to the AD, alternately
trying ldap and ldaps in the 'setenv LDAP_ HOSTS'. When I use ldap,
mavistest returns a successful result. With ldaps, mavistest returns
the following:
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-20534-1319053532-0
USER tactest
PASSWORD ******
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-20534-1319053532-0
USER tactest
RESULT ERR
PASSWORD ******
SERIAL SpT0VlQ6PopTK7wYXH2BwA=
USER_RESPONSE I/O Error Connection reset by peer
TACTYPE AUTH
(I've also run a tcpdump capture while mavistest runs and I see where
the tcp handshake initiates on port 636 of the DC. It never gets
beyond 3 or 5 packets before mavistest ends with 'Connection reset by
peer'.)
Here's where it gets interesting -- When I run an 'ldapsearch' from
the linux server to the DC over ldaps, it completes successfully.
Any ideas? Is there something with Mavis that needs tuning? Any help
would be appreciated!
- Michael
First, I'd like to say 'thank you' and 'job well done' for
contributing this software to the open source community. I've been
over your documentation and I think I've got a pretty good grip on
tac_plus. I'm using tac_plus on Ubuntu 10.04 LTS in concert with a
Windows 2008 R2 Active Directory backend (via Mavis). I've gotten
everything working correctly with authentication and authorization
against my AD using the insecure ldap port 389. But my problem is
that I'd really like to use ldaps and I can't seem to get that
working.
Here's what I've done:
1) I've recompiled tac_plus to include the '--with-ssl' switch.
2) I've imported my CA cert from the Microsoft CA that I'm running. I
placed the cert in /usr/share/certificates, used 'update-ca-
certificates' to ensure that a .pem symlink was created in /etc/ssl/
certs and that it was added to 'ca-certificates.crt'.
3) I've used 'mavistest' to test connectivity to the AD, alternately
trying ldap and ldaps in the 'setenv LDAP_ HOSTS'. When I use ldap,
mavistest returns a successful result. With ldaps, mavistest returns
the following:
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-20534-1319053532-0
USER tactest
PASSWORD ******
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-20534-1319053532-0
USER tactest
RESULT ERR
PASSWORD ******
SERIAL SpT0VlQ6PopTK7wYXH2BwA=
USER_RESPONSE I/O Error Connection reset by peer
TACTYPE AUTH
(I've also run a tcpdump capture while mavistest runs and I see where
the tcp handshake initiates on port 636 of the DC. It never gets
beyond 3 or 5 packets before mavistest ends with 'Connection reset by
peer'.)
Here's where it gets interesting -- When I run an 'ldapsearch' from
the linux server to the DC over ldaps, it completes successfully.
Any ideas? Is there something with Mavis that needs tuning? Any help
would be appreciated!
- Michael
Marc Huber
Oct 19, 2011, 11:50:58 PM10/19/11
to Event-Driven Servers
Hi Michael,
the "Connection Reset" message probably comes from the Net::LDAP Perl
module.
Did you specify the servers with with port number (636 or 3290) ?
Plus, you may need to set the USE_TLS flag.
To make debugging the Perl script easier you could you try calling it
directly. Something like
env LDAP_SERVER_TYPE=microsoft LDAP_HOST=... printf "0 TACPLUS\n4
$USER\n8 $PASS\n49 AUTH\n=\n" | mavis_tacplus_ldap.pl
You'll need to set the same environment variables that you've used in
the configuration.
Cheers,
Marc
the "Connection Reset" message probably comes from the Net::LDAP Perl
module.
Did you specify the servers with with port number (636 or 3290) ?
Plus, you may need to set the USE_TLS flag.
To make debugging the Perl script easier you could you try calling it
directly. Something like
env LDAP_SERVER_TYPE=microsoft LDAP_HOST=... printf "0 TACPLUS\n4
$USER\n8 $PASS\n49 AUTH\n=\n" | mavis_tacplus_ldap.pl
You'll need to set the same environment variables that you've used in
the configuration.
Cheers,
Marc
Michael McConnell
Nov 11, 2011, 6:14:33 PM11/11/11
to Event-Driven Servers
Thanks for those suggestions Marc. I figured out my problem and it
was (indirectly) related to Net::LDAP -- I was missing the Perl module
called 'IO::Socket::SSL' which is a requirement in order for Net::LDAP
to establish an LDAPS connection. (FYI, I did not have to use the
'USE_TLS' flag.)
You may want to update your documentation to reflect that
IO::Socket:SSL is a requirement for LDAP-over-SSL connectivity.
Thanks again,
- Michael
was (indirectly) related to Net::LDAP -- I was missing the Perl module
called 'IO::Socket::SSL' which is a requirement in order for Net::LDAP
to establish an LDAPS connection. (FYI, I did not have to use the
'USE_TLS' flag.)
You may want to update your documentation to reflect that
IO::Socket:SSL is a requirement for LDAP-over-SSL connectivity.
Thanks again,
- Michael
Marc Huber
Nov 12, 2011, 3:24:28 AM11/12/11
to event-driv...@googlegroups.com
Hi Michael,
thanks for the update. I'll let the Perl scripts check for IO::Socket::SSL (and issue a warning if not found) in the next snapshot.
Cheers,
Marc
thanks for the update. I'll let the Perl scripts check for IO::Socket::SSL (and issue a warning if not found) in the next snapshot.
Cheers,
Marc
Chu Xiangyong
Sep 18, 2013, 3:16:00 AM9/18/13
to event-driv...@googlegroups.com
I have the same problem ,and when i do mavistest the ad accout ,it result "NFD", could someone would share your configuretion about the tac_plus setting
Reply all
Reply to author
Forward
0 new messages