On Fri, 20 Jun 2003, Kostas Kalevras wrote:

> On Wed, 18 Jun 2003, Owen DeLong wrote:
>
> > I don't know how to get TLS to work, but you should be able to do
> > SSL by specifying that the LDAP port to use is 669 (LDAPs) in
> > your radius.conf. I'm, however, having a similar problem in that
> > I am unable to get it to work because of a complaint about a self-signed
> > certificate. If you have any ideas on how to rectify that one, I'd
> > appreciate it. I've posted my question to the list twice and have
> > received zero response.
> >
> > Owen
>
> Try the attached patch. I haven't tested it though.

Also you could also just try to change the configuration of the ldap client
library:
http://www.openldap.org/doc/admin21/tls.html

>
>
> --
> Kostas Kalevras Network Operations Center
> ***@noc.ntua.gr National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf

--
Kostas Kalevras Network Operations Center
***@noc.ntua.gr National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Wed, 18 Jun 2003, Owen DeLong wrote:

> I don't know how to get TLS to work, but you should be able to do
> SSL by specifying that the LDAP port to use is 669 (LDAPs) in
> your radius.conf. I'm, however, having a similar problem in that
> I am unable to get it to work because of a complaint about a self-signed
> certificate. If you have any ideas on how to rectify that one, I'd
> appreciate it. I've posted my question to the list twice and have
> received zero response.
>
> Owen

Try the attached patch. I haven't tested it though.


--
Kostas Kalevras Network Operations Center
***@noc.ntua.gr National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

Yes... Don't remember exactly where I found it, but, if you have LDAP
working, then it's just a matter of adding a port=669 phrase to the
configuration file (radiusd.conf) where you specify the ldap server.

Owen

--On Wednesday, June 18, 2003 9:40 AM -0600 Ron Wahler
<***@rovingplanet.com> wrote:

>
> Is there a description someplace that would show how
> to setup an SSL connection from Freeradius to an external LDAP database.
>
> Thanks,
> Ron.
>
> -----Original Message-----
> From: Owen DeLong [mailto:***@delong.com]
> Sent: Wednesday, June 18, 2003 9:05 AM
> To: freeradius-***@lists.cistron.nl
> Subject: Re: RADIUS + LDAP + TLS
>
> I don't know how to get TLS to work, but you should be able to do
> SSL by specifying that the LDAP port to use is 669 (LDAPs) in
> your radius.conf. I'm, however, having a similar problem in that
> I am unable to get it to work because of a complaint about a self-signed
> certificate. If you have any ideas on how to rectify that one, I'd
> appreciate it. I've posted my question to the list twice and have
> received zero response.
>
> Owen
>
>
> --On Wednesday, June 18, 2003 12:32 PM +0200 "Francisco Orozco/Upcnet"
> <***@upcnet.es> wrote:
>
>> Hello to all,
>>
>> I've been using FreeRadius for a year, but now I'd like to implement
>> RADIUS with LDAP authentication, I've test it and It works great.
>>
>> Now I'd like to protect radius - ldap server comunication using TLS.
> But
>> I'm not able to do it.
>>
>> My LDAP server is Notes Domino and I've been able to configure it
>> correctly. I can connect to it using LDAP SSL/TLS, but I don't know
> how
>> to implement this in FreeRadius.
>>
>> I'm using freeradius-0.8.1 and this is my radiusd.conf
>>
>>
>>
>> Can you help me?
>>
>> When I try i view this log:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101,
>> length=60
>> User-Name = "test"
>> User-Password = "1234567890"
>> NAS-IP-Address = 255.255.255.255
>> NAS-Port = 1
>> rad_lowerpair: User-Name now 'test'
>> rad_lowerpair: User-Password now '1234567890'
>> modcall: entering group authorize
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for test
>> radius_xlat: '(uid=test)'
>> radius_xlat: 'o=Prova'
>> ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636, authentication
> 0
>> rlm_ldap: setting TLS mode to 1
>> rlm_ldap: starting TLS
>> rlm_ldap: ldap_start_tls_s()
>> rlm_ldap: could not start TLS Protocol error
>> rlm_ldap: (re)connection attempt failed
>> rlm_ldap: search failed
>> ldap_release_conn: Release Id: 0
>> modcall[authorize]: module "ldap" returns fail
>> modcall: group authorize returns fail
>> There was no response configured: rejecting request 0
>> Server rejecting request 0.
>> Finished request 0
>> Going to the next request
>> --- Walking the entire request list ---
>> Waking up in 1 seconds...
>> --- Walking the entire request list ---
>> Waking up in 1 seconds...
>> --- Walking the entire request list ---
>> Sending Access-Reject of id 101 to 127.0.0.1:32792
>> Waking up in 4 seconds...
>> --- Walking the entire request list ---
>> Cleaning up request 0 ID 101 with timestamp 3ef0694c
>> Nothing to do. Sleeping until we see a request.
>>
>> ______________________________________
>> Paco Orozco (***@upcnet.es)
>> Divisió de Telecomunicacions
>> UPCNet
>> Edifici Vèrtex - Pl. Eusebi Güell, 6
>> Telèfon centraleta: 93.40.11600
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

No... The OpenLDAP libraries used to build Freeradius already handle
all of that for you. At least in my case, it just worked, except for
that niggling issue of the self-signed certificate. If your LDAP
server is already set up to handle SSL connections, that should be
all you need.

Owen


--On Wednesday, June 18, 2003 9:58 AM -0600 Ron Wahler
<***@rovingplanet.com> wrote:

>
> Yes, but how do you set up the SSL tunnel and get the certificates to
> validate to the LDAP server? are you using stunnel ?
>
> Ron.
>
> -----Original Message-----
> From: Owen DeLong [mailto:***@delong.com]
> Sent: Wednesday, June 18, 2003 9:55 AM
> To: freeradius-***@lists.cistron.nl
> Subject: RE: RADIUS + LDAP + TLS
>
> Yes... Don't remember exactly where I found it, but, if you have LDAP
> working, then it's just a matter of adding a port=669 phrase to the
> configuration file (radiusd.conf) where you specify the ldap server.
>
> Owen
>
> --On Wednesday, June 18, 2003 9:40 AM -0600 Ron Wahler
> <***@rovingplanet.com> wrote:
>
>>
>> Is there a description someplace that would show how
>> to setup an SSL connection from Freeradius to an external LDAP
> database.
>>
>> Thanks,
>> Ron.
>>
>> -----Original Message-----
>> From: Owen DeLong [mailto:***@delong.com]
>> Sent: Wednesday, June 18, 2003 9:05 AM
>> To: freeradius-***@lists.cistron.nl
>> Subject: Re: RADIUS + LDAP + TLS
>>
>> I don't know how to get TLS to work, but you should be able to do
>> SSL by specifying that the LDAP port to use is 669 (LDAPs) in
>> your radius.conf. I'm, however, having a similar problem in that
>> I am unable to get it to work because of a complaint about a
> self-signed
>> certificate. If you have any ideas on how to rectify that one, I'd
>> appreciate it. I've posted my question to the list twice and have
>> received zero response.
>>
>> Owen
>>
>>
>> --On Wednesday, June 18, 2003 12:32 PM +0200 "Francisco Orozco/Upcnet"
>> <***@upcnet.es> wrote:
>>
>>> Hello to all,
>>>
>>> I've been using FreeRadius for a year, but now I'd like to implement
>>> RADIUS with LDAP authentication, I've test it and It works great.
>>>
>>> Now I'd like to protect radius - ldap server comunication using TLS.
>> But
>>> I'm not able to do it.
>>>
>>> My LDAP server is Notes Domino and I've been able to configure it
>>> correctly. I can connect to it using LDAP SSL/TLS, but I don't know
>> how
>>> to implement this in FreeRadius.
>>>
>>> I'm using freeradius-0.8.1 and this is my radiusd.conf
>>>
>>>
>>>
>>> Can you help me?
>>>
>>> When I try i view this log:
>>>
>>> rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101,
>>> length=60
>>> User-Name = "test"
>>> User-Password = "1234567890"
>>> NAS-IP-Address = 255.255.255.255
>>> NAS-Port = 1
>>> rad_lowerpair: User-Name now 'test'
>>> rad_lowerpair: User-Password now '1234567890'
>>> modcall: entering group authorize
>>> rlm_ldap: - authorize
>>> rlm_ldap: performing user authorization for test
>>> radius_xlat: '(uid=test)'
>>> radius_xlat: 'o=Prova'
>>> ldap_get_conn: Got Id: 0
>>> rlm_ldap: attempting LDAP reconnection
>>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636, authentication
>> 0
>>> rlm_ldap: setting TLS mode to 1
>>> rlm_ldap: starting TLS
>>> rlm_ldap: ldap_start_tls_s()
>>> rlm_ldap: could not start TLS Protocol error
>>> rlm_ldap: (re)connection attempt failed
>>> rlm_ldap: search failed
>>> ldap_release_conn: Release Id: 0
>>> modcall[authorize]: module "ldap" returns fail
>>> modcall: group authorize returns fail
>>> There was no response configured: rejecting request 0
>>> Server rejecting request 0.
>>> Finished request 0
>>> Going to the next request
>>> --- Walking the entire request list ---
>>> Waking up in 1 seconds...
>>> --- Walking the entire request list ---
>>> Waking up in 1 seconds...
>>> --- Walking the entire request list ---
>>> Sending Access-Reject of id 101 to 127.0.0.1:32792
>>> Waking up in 4 seconds...
>>> --- Walking the entire request list ---
>>> Cleaning up request 0 ID 101 with timestamp 3ef0694c
>>> Nothing to do. Sleeping until we see a request.
>>>
>>> ______________________________________
>>> Paco Orozco (***@upcnet.es)
>>> Divisió de Telecomunicacions
>>> UPCNet
>>> Edifici Vèrtex - Pl. Eusebi Güell, 6
>>> Telèfon centraleta: 93.40.11600
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

When you built rlm_ldap, you needed some sort of LDAP library for
it. Usually, this is OpenLDAP. If you used something else, I'm not
sure what to tell you. In my case, I built FreeRadius and the rlm_ldap
module at the same time. I don't know what you did. I didn't install
a certificate on the RADIUS server. I used an existing LDAP server run
by IT which has a self-signed certificate on it. I don't know how they
installed the certificate, and that would depend on the LDAP server in use
anyway. As to validation, I haven't been able to get them to validate
because FreeRadius is rejecting the self-signed certificate from the LDAP
server.

I got the impression from your original email that you had the LDAP
server already working with LDAPs. If that's not the case, you first
need to get a working LDAPs server (LDAP over SSL). This is not something
I can help you with.

Once that is done, getting RADIUS to be another client of that LDAPs
server should simply be a matter of changing the port number in the
radiusd.conf from what was working with the LDAP server.

Owen


--On Wednesday, June 18, 2003 10:51 -0600 Ron Wahler <***@rovingplanet.com>
wrote:

>
> The OpenLDAP build was part of the freeradius build or did you do them
> separate? Our LDAP is not on the server it is on another box.
>
> How did you get the certificates installed?
> How did you get them to validate?
>
>
>
> -----Original Message-----
> From: Owen DeLong [mailto:***@delong.com]
> Sent: Wednesday, June 18, 2003 10:28 AM
> To: freeradius-***@lists.cistron.nl
> Subject: RE: RADIUS + LDAP + TLS
>
> No... The OpenLDAP libraries used to build Freeradius already handle
> all of that for you. At least in my case, it just worked, except for
> that niggling issue of the self-signed certificate. If your LDAP
> server is already set up to handle SSL connections, that should be
> all you need.
>
> Owen
>
>
> --On Wednesday, June 18, 2003 9:58 AM -0600 Ron Wahler
> <***@rovingplanet.com> wrote:
>
>>
>> Yes, but how do you set up the SSL tunnel and get the certificates to
>> validate to the LDAP server? are you using stunnel ?
>>
>> Ron.
>>
>> -----Original Message-----
>> From: Owen DeLong [mailto:***@delong.com]
>> Sent: Wednesday, June 18, 2003 9:55 AM
>> To: freeradius-***@lists.cistron.nl
>> Subject: RE: RADIUS + LDAP + TLS
>>
>> Yes... Don't remember exactly where I found it, but, if you have LDAP
>> working, then it's just a matter of adding a port=669 phrase to the
>> configuration file (radiusd.conf) where you specify the ldap server.
>>
>> Owen
>>
>> --On Wednesday, June 18, 2003 9:40 AM -0600 Ron Wahler
>> <***@rovingplanet.com> wrote:
>>
>>>
>>> Is there a description someplace that would show how
>>> to setup an SSL connection from Freeradius to an external LDAP
>> database.
>>>
>>> Thanks,
>>> Ron.
>>>
>>> -----Original Message-----
>>> From: Owen DeLong [mailto:***@delong.com]
>>> Sent: Wednesday, June 18, 2003 9:05 AM
>>> To: freeradius-***@lists.cistron.nl
>>> Subject: Re: RADIUS + LDAP + TLS
>>>
>>> I don't know how to get TLS to work, but you should be able to do
>>> SSL by specifying that the LDAP port to use is 669 (LDAPs) in
>>> your radius.conf. I'm, however, having a similar problem in that
>>> I am unable to get it to work because of a complaint about a
>> self-signed
>>> certificate. If you have any ideas on how to rectify that one, I'd
>>> appreciate it. I've posted my question to the list twice and have
>>> received zero response.
>>>
>>> Owen
>>>
>>>
>>> --On Wednesday, June 18, 2003 12:32 PM +0200 "Francisco
> Orozco/Upcnet"
>>> <***@upcnet.es> wrote:
>>>
>>>> Hello to all,
>>>>
>>>> I've been using FreeRadius for a year, but now I'd like to implement
>>>> RADIUS with LDAP authentication, I've test it and It works great.
>>>>
>>>> Now I'd like to protect radius - ldap server comunication using TLS.
>>> But
>>>> I'm not able to do it.
>>>>
>>>> My LDAP server is Notes Domino and I've been able to configure it
>>>> correctly. I can connect to it using LDAP SSL/TLS, but I don't know
>>> how
>>>> to implement this in FreeRadius.
>>>>
>>>> I'm using freeradius-0.8.1 and this is my radiusd.conf
>>>>
>>>>
>>>>
>>>> Can you help me?
>>>>
>>>> When I try i view this log:
>>>>
>>>> rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101,
>>>> length=60
>>>> User-Name = "test"
>>>> User-Password = "1234567890"
>>>> NAS-IP-Address = 255.255.255.255
>>>> NAS-Port = 1
>>>> rad_lowerpair: User-Name now 'test'
>>>> rad_lowerpair: User-Password now '1234567890'
>>>> modcall: entering group authorize
>>>> rlm_ldap: - authorize
>>>> rlm_ldap: performing user authorization for test
>>>> radius_xlat: '(uid=test)'
>>>> radius_xlat: 'o=Prova'
>>>> ldap_get_conn: Got Id: 0
>>>> rlm_ldap: attempting LDAP reconnection
>>>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636,
> authentication
>>> 0
>>>> rlm_ldap: setting TLS mode to 1
>>>> rlm_ldap: starting TLS
>>>> rlm_ldap: ldap_start_tls_s()
>>>> rlm_ldap: could not start TLS Protocol error
>>>> rlm_ldap: (re)connection attempt failed
>>>> rlm_ldap: search failed
>>>> ldap_release_conn: Release Id: 0
>>>> modcall[authorize]: module "ldap" returns fail
>>>> modcall: group authorize returns fail
>>>> There was no response configured: rejecting request 0
>>>> Server rejecting request 0.
>>>> Finished request 0
>>>> Going to the next request
>>>> --- Walking the entire request list ---
>>>> Waking up in 1 seconds...
>>>> --- Walking the entire request list ---
>>>> Waking up in 1 seconds...
>>>> --- Walking the entire request list ---
>>>> Sending Access-Reject of id 101 to 127.0.0.1:32792
>>>> Waking up in 4 seconds...
>>>> --- Walking the entire request list ---
>>>> Cleaning up request 0 ID 101 with timestamp 3ef0694c
>>>> Nothing to do. Sleeping until we see a request.
>>>>
>>>> ______________________________________
>>>> Paco Orozco (***@upcnet.es)
>>>> Divisió de Telecomunicacions
>>>> UPCNet
>>>> Edifici Vèrtex - Pl. Eusebi Güell, 6
>>>> Telèfon centraleta: 93.40.11600
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hiya,

I'm bit confused. I'd like to use, as I mentioned, RADIUS + LDAP over
encripted comunications (TLS).

I order to user RADIUS + LDAP I've compiled FreeRadius, but I haven't
installed any OpenLDAP SDK. Then I've configured radiusd.conf as mentioned
in past messages.

I try it and It works great. I can authenticate users via LDAP.

When I try to use TLS I've configured radiusd.conf parameters:
"stat_tls=yes" "tls_mode=yes" "port=636"

It's not working, see log. "Protocol Error", It means that I need to
compile something.

I don't want to authenticate LDAP server from RADIUS, so I doesn't need to
install OpenSSL and CA certificates. I only want to encrypt RADIUS - LDAP
comunication, without ensuring identity of any.

Please... can you put some light on my work????

> >> >>>>
> >> >>>> rad_recv: Access-Request packet from host 127.0.0.1:32792,
id=101,
> >> >>>> length=60
> >> >>>> User-Name = "test"
> >> >>>> User-Password = "1234567890"
> >> >>>> NAS-IP-Address = 255.255.255.255
> >> >>>> NAS-Port = 1
> >> >>>> rad_lowerpair: User-Name now 'test'
> >> >>>> rad_lowerpair: User-Password now '1234567890'
> >> >>>> modcall: entering group authorize
> >> >>>> rlm_ldap: - authorize
> >> >>>> rlm_ldap: performing user authorization for test
> >> >>>> radius_xlat: '(uid=test)'
> >> >>>> radius_xlat: 'o=Prova'
> >> >>>> ldap_get_conn: Got Id: 0
> >> >>>> rlm_ldap: attempting LDAP reconnection
> >> >>>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636,
> >> > authentication
> >> >>> 0
> >> >>>> rlm_ldap: setting TLS mode to 1
> >> >>>> rlm_ldap: starting TLS
> >> >>>> rlm_ldap: ldap_start_tls_s()
> >> >>>> rlm_ldap: could not start TLS Protocol error
> >> >>>> rlm_ldap: (re)connection attempt failed
> >> >>>> rlm_ldap: search failed
> >> >>>> ldap_release_conn: Release Id: 0
> >> >>>> modcall[authorize]: module "ldap" returns fail
> >> >>>> modcall: group authorize returns fail
> >> >>>> There was no response configured: rejecting request 0
> >> >>>> Server rejecting request 0.
> >> >>>> Finished request 0
> >> >>>> Going to the next request
> >> >>>> --- Walking the entire request list ---
> >> >>>> Waking up in 1 seconds...
> >> >>>> --- Walking the entire request list ---
> >> >>>> Waking up in 1 seconds...
> >> >>>> --- Walking the entire request list ---
> >> >>>> Sending Access-Reject of id 101 to 127.0.0.1:32792
> >> >>>> Waking up in 4 seconds...
> >> >>>> --- Walking the entire request list ---
> >> >>>> Cleaning up request 0 ID 101 with timestamp 3ef0694c
> >> >>>> Nothing to do. Sleeping until we see a request.

______________________________________
Paco Orozco (***@upcnet.es)
Divisió de Telecomunicacions
UPCNet
Edifici Vèrtex - Pl. Eusebi Güell, 6
Telèfon centraleta: 93.40.11600


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html