Yubico Forum https://forum.yubico.com/ |
|
YubiRADIUS LDAPS failures https://forum.yubico.com/viewtopic.php?f=5&t=724 |
Page 1 of 1 |
Author: | wirefall [ Sat Nov 12, 2011 8:28 am ] |
Post subject: | YubiRADIUS LDAPS failures |
I'm unable to get YubiRADIUS to authenticate to an LDAP server over SSL. The certificate is self-signed. I've tried placing CA/Server certs in /etc/ssl/certs. I can connect to the LDAPS server using JXplorer (with a certificate warning). Everything works using plain LDAP. My guess is the BACKEND_ERROR in auth.log indicates an SSL connection issue. Any ideas? Obfuscated error messages/logs below... Users Import LDAP Server Address: 172.16.X.X LDAP Version: 3 Base DN: dc=example,dc=com User DN: cn=admin,dc=example,dc=com Password: PASSWORD Filter: (objectClass=person) Login Name Identifier: uid ---- When LDAP (389) is configured under Users Import: RadTest Response: Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = "ldap_user" User-Password = "PASSWORDcccccccjeuhvgtrrfufuflnjbnnbgcukhtcevlvincee" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=47, length=20 /var/log/auth.log Nov 12 12:13:48 yrva31 pam_yubiserver.py[2263]: Validation result for user ldap_user : OK ======= When LDAPS (636) is configured under Users Import: ---- RadTest Response: Sending Access-Request of id 128 to 127.0.0.1 port 1812 User-Name = "ldap_user" User-Password = "PASSWORDcccccccjeuhvublehbvbkrjverbtriftddngbufivjnb" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=128, length=20 ---- /var/log/auth.log Nov 12 11:56:26 yrva31 pam_yubiserver.py[2263]: Validation result for user ldap_user : BACKEND_ERROR ---- |
Author: | wirefall [ Mon Nov 21, 2011 3:39 am ] |
Post subject: | Re: YubiRADIUS LDAPS failures |
Some additional information... Under Users Import -> User Import Configuration Management If YubiRADIUS is configured to use a secure connection it is possible to import users, but Radtest and external radius authentication fail until the setting is reverted to an unsecured connection. To validate that user import was actually occurring over LDAPS, I disabled plain LDAP on the external LDAP server and validated that only LDAPS was running. It is still possible to import users. Radtest and external radius authentication continue to fail. Re-enabling LDAP on the external server and setting YubiRADIUS to not use secure authentication allow Radtest and external radius authentication to succeed. So, I guess I should rephrase my question: Has anyone used YubiRADIUS to successfully authenticate against an external LDAPS server? If so, would you mind sharing what steps were required? |
Author: | schmoel [ Thu Mar 22, 2012 4:06 am ] |
Post subject: | Re: YubiRADIUS LDAPS failures |
Hi For all these self-signing issues I usually fall back to stunnel. The following configuration (/etc/stunnel/stunnel.conf typically on Linux) will enable you to have your LDAP client connect to localhost on 389 and stunnel will take care of the LDAPS trunking to your desintation. Check "http://www.stunnel.org/?page=howto" at http://www.stunnel.org/?page=howto for how to turn on SSL cert validation if you need it. Code: client = yes [ldap] accept = 127.0.0.1:389 connect = target.ldaps.server.com:636 JC |
Author: | bjankowski [ Thu Apr 19, 2012 12:46 pm ] |
Post subject: | Re: YubiRADIUS LDAPS failures |
Hi, I seem to have a simillar problem. Did you manage to solve it? |
Author: | bjankowski [ Mon Apr 23, 2012 2:14 pm ] |
Post subject: | Re: YubiRADIUS LDAPS failures |
So it turned out it was a problem with gnuTLS i debian with self-sgined certs. Bug desc. here:https://bugs.launchpad.net/ubuntu/+source/gnutls13/+bug/397636 What I did was to disable certificate check in /etc/ldap.conf option TLS_REQCERT |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |