TLS/SSL to eDirectory

Setup:
- FreeRADIUS 1.0.4 built with edir on FreeBSD 4.11 server.
- Cisco 3005 VPN Concentrator
- LDAP database on NetWare 6.5 server

Everything works fine when not use SSL certificate and TLS.  However,
when TLS is turned on, here is what I get:

-----snip-----
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
          User-Name = "username"
          User-Password = "password"
          NAS-Port = 1028
          Service-Type = Framed-User
          Framed-Protocol = PPP
          Called-Station-Id = "10.254.1.6"
          Calling-Station-Id = "69.152.48.158"
          Tunnel-Client-Endpoint:0 = "69.152.48.158"
          NAS-IP-Address = 10.254.1.6
          NAS-Port-Type = Virtual
    Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
    modcall[authorize]: module "preprocess" returns ok for request 0
      rlm_realm: No '@' in User-Name = "stcrye", looking up realm NULL
      rlm_realm: No such realm "NULL"
    modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for stcrye
radius_xlat:  '(cn=username)'
radius_xlat:  'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 0
rlm_ldap: setting TLS CACert File to
/home/juser/trustedrootcertssl-certdns-episd1.b64
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
    modcall[authorize]: module "ldap1" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
Discarding duplicate request from client VPN:1063 - ID: 27
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 27 with timestamp 431712ab
Nothing to do.  Sleeping until we see a request.
-----snip-----

Relevent portion of radiusd.conf:

-----snip-----
ldap ldap1 {
                  server = "10.254.8.25"
                  identity = "cn=raduser,o=services"
                  password = secretrad
                  basedn = "o=services"
                  filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
                  #start_tls = no
                  start_tls = yes
                  tls_cacertfile = /home/juser/trustedrootcertssl-certdns-episd1.b64
                  dictionary_mapping = ${raddbdir}/ldap.attrmap
                  ldap_connections_number = 5
                  password_attribute = userPassword
                  edir_account_policy_check=no
                  timeout = 20
                  timelimit = 20
                  net_timeout = 20
-----snip-----

When I un-comment start_tls = no and comment out start_tls = yes and
tls_cacertfile, everything works fine.

I don't really know where to start.  I have read the faq's, been up
and down the list and can't find a solution.

Thanks in advance.

Josh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,

it may sound stupid, but - does the NetWare server has TLS / SSL turned on?

Regards,

Edvin Seferovic

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of
[hidden email]
Sent: Freitag, 02. September 2005 04:59
To: [hidden email]
Subject: TLS/SSL to eDirectory

Setup:
- FreeRADIUS 1.0.4 built with edir on FreeBSD 4.11 server.
- Cisco 3005 VPN Concentrator
- LDAP database on NetWare 6.5 server

Everything works fine when not use SSL certificate and TLS.  However,
when TLS is turned on, here is what I get:

-----snip-----
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
          User-Name = "username"
          User-Password = "password"
          NAS-Port = 1028
          Service-Type = Framed-User
          Framed-Protocol = PPP
          Called-Station-Id = "10.254.1.6"
          Calling-Station-Id = "69.152.48.158"
          Tunnel-Client-Endpoint:0 = "69.152.48.158"
          NAS-IP-Address = 10.254.1.6
          NAS-Port-Type = Virtual
    Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
    modcall[authorize]: module "preprocess" returns ok for request 0
      rlm_realm: No '@' in User-Name = "stcrye", looking up realm NULL
      rlm_realm: No such realm "NULL"
    modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for stcrye
radius_xlat:  '(cn=username)'
radius_xlat:  'o=services'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.254.8.25:389, authentication 0
rlm_ldap: setting TLS CACert File to
/home/juser/trustedrootcertssl-certdns-episd1.b64
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
    modcall[authorize]: module "ldap1" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.254.1.6:1063, id=27,
length=118
Discarding duplicate request from client VPN:1063 - ID: 27
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 27 with timestamp 431712ab
Nothing to do.  Sleeping until we see a request.
-----snip-----

Relevent portion of radiusd.conf:

-----snip-----
ldap ldap1 {
                  server = "10.254.8.25"
                  identity = "cn=raduser,o=services"
                  password = secretrad
                  basedn = "o=services"
                  filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
                  #start_tls = no
                  start_tls = yes
                  tls_cacertfile =
/home/juser/trustedrootcertssl-certdns-episd1.b64
                  dictionary_mapping = ${raddbdir}/ldap.attrmap
                  ldap_connections_number = 5
                  password_attribute = userPassword
                  edir_account_policy_check=no
                  timeout = 20
                  timelimit = 20
                  net_timeout = 20
-----snip-----

When I un-comment start_tls = no and comment out start_tls = yes and
tls_cacertfile, everything works fine.

I don't really know where to start.  I have read the faq's, been up
and down the list and can't find a solution.

Thanks in advance.

Josh
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi,
     Please check the certificate used by the LDAP server using
iManager. In case the server is using SSL CERTIFICATE DNS(by default
this is what is used) you need to enter hostname of the LDAP server in
the server field below and not the IP address.
> ldap ldap1 {
>                   server = "10.254.8.25"

HTH.

-Sayantan.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html