Yubico Forum

Re: YubiRADIUS LDAPS failures

2012-04-23T14:14:33+01:00

So it turned out it was a problem with gnuTLS i debian with self-sgined certs.
Bug desc. here:https://bugs.launchpad.net/ubuntu/+source/gnutls13/+bug/397636

What I did was to disable certificate check in /etc/ldap.conf option TLS_REQCERT

Statistics: Posted by bjankowski — Mon Apr 23, 2012 2:14 pm

Re: YubiRADIUS LDAPS failures

2012-04-19T12:46:08+01:00

Hi,
I seem to have a simillar problem. Did you manage to solve it?

Statistics: Posted by bjankowski — Thu Apr 19, 2012 12:46 pm

Re: YubiRADIUS LDAPS failures

2012-03-22T04:06:02+01:00

Hi

For all these self-signing issues I usually fall back to stunnel.

The following configuration (/etc/stunnel/stunnel.conf typically on Linux) will enable you to have your LDAP client connect to localhost on 389 and stunnel will take care of the LDAPS trunking to your desintation. Check "http://www.stunnel.org/?page=howto" at http://www.stunnel.org/?page=howto for how to turn on SSL cert validation if you need it.

Code:

client = yes

[ldap]
accept = 127.0.0.1:389
connect = target.ldaps.server.com:636

Statistics: Posted by schmoel — Thu Mar 22, 2012 4:06 am

Re: YubiRADIUS LDAPS failures

2011-11-21T03:39:19+01:00

Some additional information...

Under Users Import -> User Import Configuration Management

If YubiRADIUS is configured to use a secure connection it is possible to import users, but Radtest and external radius authentication fail until the setting is reverted to an unsecured connection.

To validate that user import was actually occurring over LDAPS, I disabled plain LDAP on the external LDAP server and validated that only LDAPS was running. It is still possible to import users. Radtest and external radius authentication continue to fail. Re-enabling LDAP on the external server and setting YubiRADIUS to not use secure authentication allow Radtest and external radius authentication to succeed.

So, I guess I should rephrase my question: Has anyone used YubiRADIUS to successfully authenticate against an external LDAPS server? If so, would you mind sharing what steps were required?

Statistics: Posted by wirefall — Mon Nov 21, 2011 3:39 am

YubiRADIUS LDAPS failures

2011-11-12T08:28:10+01:00

I'm unable to get YubiRADIUS to authenticate to an LDAP server over SSL. The certificate is self-signed. I've tried placing CA/Server certs in /etc/ssl/certs.

I can connect to the LDAPS server using JXplorer (with a certificate warning).

Everything works using plain LDAP.

My guess is the BACKEND_ERROR in auth.log indicates an SSL connection issue. Any ideas?

Obfuscated error messages/logs below...

Users Import
LDAP Server Address: 172.16.X.X
LDAP Version: 3
Base DN: dc=example,dc=com
User DN: cn=admin,dc=example,dc=com
Password: PASSWORD
Filter: (objectClass=person)
Login Name Identifier: uid

----

When LDAP (389) is configured under Users Import:

RadTest Response:

Sending Access-Request of id 47 to 127.0.0.1 port 1812
User-Name = "ldap_user"
User-Password = "PASSWORDcccccccjeuhvgtrrfufuflnjbnnbgcukhtcevlvincee"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=47, length=20

/var/log/auth.log

Nov 12 12:13:48 yrva31 pam_yubiserver.py[2263]: Validation result for user ldap_user : OK

=======

When LDAPS (636) is configured under Users Import:
----
RadTest Response:

Sending Access-Request of id 128 to 127.0.0.1 port 1812
User-Name = "ldap_user"
User-Password = "PASSWORDcccccccjeuhvublehbvbkrjverbtriftddngbufivjnb"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=128, length=20
----
/var/log/auth.log

Nov 12 11:56:26 yrva31 pam_yubiserver.py[2263]: Validation result for user ldap_user : BACKEND_ERROR

----

Statistics: Posted by wirefall — Sat Nov 12, 2011 8:28 am