TLS negotiation fail with Active Directory port 3269

[Hien The Nguy]

Hi 

I am configuring TLS with Active Directory on port 3269 but the TLS negotiation has fail. Here the sample of my configuration.  

        mavis module = external {

                setenv LDAP_SERVER_TYPE = "microsoft"

                setenv LDAP_HOSTS = "ldaps://domain.org:3269"

#                setenv LDAP_HOSTS = "ldaps://ddmain.org:3268"

                setenv LDAP_SCOPE = sub

                setenv LDAP_BASE = "DC=ericsson,DC=se"

                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"

               setenv LDAP_USER =  tac...@domain.org

                setenv LDAP_PASSWD = xxxxxxxxx

                setenv AD_GROUP_PREFIX = tacacs-

                setenv USE_TLS = 1

#                setenv USE_TLS = 0

               exec = /opt/tacacs/lib/mavis/mavis_tacplus_ldap.pl

here is the output of the test 

Input attribute-value-pairs:

TYPE                TACPLUS

TIMESTAMP           mavistest-3110-1436731092-0

USER                xxxxx

PASSWORD            xxxxxx

TACTYPE             AUTH

Output attribute-value-pairs:

TYPE                TACPLUS

TIMESTAMP           mavistest-3110-1436731092-0

USER                xxxx

RESULT              ERR

PASSWORD            xxxxx

SERIAL              2UkqyvaTJprvK+FQRtLqHw=

USER_RESPONSE       TLS negotiation failed.

TACTYPE             AUTH

I wondering if I have miss any perl  ldap package installation ?  

However when I test with ldapsearch command, it works fine after I add this statement "TLS_REQCERT allow" in /etc/ldap/ldap.conf

ldapsearch -v -x -H ldaps://domain.org:3269  -b "dc=domain,dc=org" -D tac...@domain.org  -w xxxxxxxx samaccountname=<username>

Does anybody has seen this issue ? 

Hien The

[Hien The Nguy]

Hi,

I think found the issue, when  I  use ldaps://domain.org:3269"  with the option  USE_TLS  either value 0 or 1,the start_tls method in  mavis_tacplus_ldap.pl will return  LDAP_OPERATIONS_ERROR = 1.  It was not obvious to know what the error means,  so I change the code to have more meaningful output as the following: 

mavis_tacplus_ldap.pl: 

    403                 if (defined $use_tls) {

    404                         my $mesg = $ldap->start_tls;

    405                         if ($mesg->code) {

    406 #                               $V[AV_A_USER_RESPONSE] = "TLS negotiation failed.";

    407                                 $V[AV_A_USER_RESPONSE] = $mesg->error . " (" . __LINE__ . ")";

    408                                 goto fatal;

    409                         }

    410                 }

And run the  ./mavistest -d -1 ../etc/tac_plus.cfg tac_plus TACPLUS xxxx xxxxx and the error is more obvious "USER_RESPONSE       TLS already started (409)". 

See output

Input attribute-value-pairs:

TYPE                TACPLUS

TIMESTAMP           mavistest-3059-1436762813-0

USER                xxxx 

PASSWORD           xxxxx 

TACTYPE             AUTH

Output attribute-value-pairs:

TYPE                TACPLUS

TIMESTAMP           mavistest-3059-1436762813-0

USER                xxxx 

RESULT              ERR

PASSWORD            xxxxx

SERIAL              H16cZIgEATWvAC0rEm4dKQ=

USER_RESPONSE       TLS already started (409)

TACTYPE             AUTH

It seems  when I specify ldaps://xxxx:3289 and define USE_TLS = 1 or 0 at the same time, that make the script to start TLS twice which explains the error message. So I comment the USE_TLS option or remove from the configuration and everything is working. 

I think the script need to check the status of TLS before starting another one. 

Hien The