Discussion:
Help:TLS connection between Freeradius and Openldap
吴海峰
2004-11-18 08:34:28 UTC
Permalink
Hi,all

I want to freeradius to connect openldap via tls.But no luck.

My configure file related tls is as follows:

start_tls = yes
tls_cacertfile = /usr/local/freeradius/etc/raddb/radius-ssl-ldap/cacert.pem
tls_certfile= usr/local/freeradius/etc/raddb/radius-ssl-ldap/radius.crt
tls_keyfile=/usr/local/freeradius/etc/raddb/radius-ssl-ldap/radius.key
tls_require_cert = "never"
tls_mode = yes
tls_randfile= /dev/urandom
ldap_debug = 9

and when use radiusd -X ,it shows:

rad_recv: Access-Request packet from host 192.168.80.1:1812, id=31, length=135
NAS-IP-Address = 192.168.80.1
NAS-Port = 50009
NAS-Port-Type = Ethernet
User-Name = "ISP-1\\test"
Called-Station-Id = "00-0D-ED-11-89-C9"
Calling-Station-Id = "00-50-BA-7B-BE-8F"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000f014953502d315c68667775
Message-Authenticator = 0xf418f027e10d9fff416739014a16f27f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/192.168.80.1/auth-detail-20041118'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.80.1/auth-detail-20041118
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "ISP-1" for User-Name = "ISP-1\test"
rlm_realm: Found realm "isp-1"
rlm_realm: Adding Stripped-User-Name = "test"
rlm_realm: Proxying request from user test to realm isp-1
rlm_realm: Adding Realm = "isp-1"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "isp-1" returns noop for request 1
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "isp-2" returns noop for request 1
rlm_eap: EAP packet type response id 0 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 159
users: Matched DEFAULT at 178
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'dc=mydc'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to x.x.x.x:389, authentication 0
ldap_create
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/freeradius/etc/raddb/radius-ssl-ldap/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: setting TLS Cert File to usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercert.pem
rlm_ldap: setting TLS Key File to /usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercertkey.pem
rlm_ldap: setting TLS Key File to /dev/urandom
rlm_ldap: starting TLS
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP 202.119.24.37:389
ldap_new_socket: 9
ldap_prepare_socket: 9
ldap_connect_to_host: Trying 202.119.24.37:389
ldap_connect_timeout: fd: 9 tm: 1 async: 0
ldap_ndelay_on: 9
ldap_is_sock_ready: 9
ldap_ndelay_off: 9
ldap_int_sasl_open: host=hostexample.com
TLS: could not use certificate `usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercert.pem'.
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:276
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:278
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:515
rlm_ldap: ldap_start_tls_s()
ldap_err2string
rlm_ldap: could not start TLS Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 1
modcall: group authorize returns fail for request 1
Finished request 1

And when I use the openssl tool to test the certificat,it succeed.

# /usr/local/ssl/bin/openssl s_client -connect x.x.x.x:636 -showcerts -state -CAfile ./radius-ssl-ldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=CN/ST=Jiangsu/L=Nanjing/O=Southeast University/OU=Directory Service/CN=Directory Service Root Certificate Authority/emailAddress=***@seu.edu.cn
verify return:1
depth=0 /C=CN/ST=Jiangsu/L=Nanjing/O=Southeast University/OU=Directory Service/CN=202.119.24.37
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
...................
Server certificate
subject=/C=CN/ST=Jiangsu/L=Nanjing/O=Southeast University/OU=Directory Service/CN=202.119.24.37
issuer=/C=CN/ST=Jiangsu/L=Nanjing/O=Southeast University/OU=Directory Service/CN=Directory Service Root Certificate Authority/emailAddress=***@seu.edu.cn
---
No client certificate CA names sent
---
SSL handshake has read 2322 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: C8FDBB1D1B0BFEF56E7968A0515FB50A7404D75DE92AADE0367874ADB83D4EA8
Session-ID-ctx:
Master-Key: 186BC7766D9CB9B95EBB9FEFFEB17CFC0F451172FEC23E3962F8911012C3B9C7D5C466D0482E1EC78A25E91FC0699051
Key-Arg : None
Start Time: 1100738585
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

Can anyone tell me how to do now?

Regards!

***@seu.edu.cn



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Giulio Casella
2004-11-18 08:41:26 UTC
Permalink
Post by 吴海峰
tls_certfile=
usr/local/freeradius/etc/raddb/radius-ssl-ldap/radius.crt

You're missing the heading / in the above line.

Bye,
gc
--
Giulio Casella ***@dsi.unimi.it
System and network manager
Computer Science Dept. - University of Milano



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
吴海峰
2004-11-18 10:05:15 UTC
Permalink
I have modify the tls_certfile to
tls_certfile=/usr/local/freeradius/etc/raddb/radius-ssl-ldap/radius.crt

But still no success.
The debug info is as follows: (Still TLS error)

rad_recv: Access-Request packet from host 192.168.80.1:1812, id=31, length=135
NAS-IP-Address = 192.168.80.1
NAS-Port = 50009
NAS-Port-Type = Ethernet
User-Name = "ISP-1\\test"
Called-Station-Id = "00-0D-ED-11-89-C9"
Calling-Station-Id = "00-50-BA-7B-BE-8F"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000f014953502d315c68667775
Message-Authenticator = 0xf418f027e10d9fff416739014a16f27f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/192.168.80.1/auth-detail-20041118'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.80.1/auth-detail-20041118
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "ISP-1" for User-Name = "ISP-1\test"
rlm_realm: Found realm "isp-1"
rlm_realm: Adding Stripped-User-Name = "test"
rlm_realm: Proxying request from user test to realm isp-1
rlm_realm: Adding Realm = "isp-1"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "isp-1" returns noop for request 1
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "isp-2" returns noop for request 1
rlm_eap: EAP packet type response id 0 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 159
users: Matched DEFAULT at 178
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'dc=mydc'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to x.x.x.x:389, authentication 0
ldap_create
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/freeradius/etc/raddb/radius-ssl-ldap/cacert.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: setting TLS Cert File to usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercert.pem
rlm_ldap: setting TLS Key File to /usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercertkey.pem
rlm_ldap: setting TLS Key File to /dev/urandom
rlm_ldap: starting TLS
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP 202.119.24.37:389
ldap_new_socket: 9
ldap_prepare_socket: 9
ldap_connect_to_host: Trying 202.119.24.37:389
ldap_connect_timeout: fd: 9 tm: 1 async: 0
ldap_ndelay_on: 9
ldap_is_sock_ready: 9
ldap_ndelay_off: 9
ldap_int_sasl_open: host=hostexample.com
TLS: could not use certificate `usr/local/freeradius/etc/raddb/radius-ssl-ldap/radiusservercert.pem'.
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:276
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:278
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:515
rlm_ldap: ldap_start_tls_s()
ldap_err2string
rlm_ldap: could not start TLS Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 1
modcall: group authorize returns fail for request 1
Finished request 1


    
        ***@seu.edu.cn
          2004-11-18

Loading...