Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:46 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sat Nov 12, 2011 8:28 am 
Offline

Joined: Sat Nov 12, 2011 8:15 am
Posts: 2
I'm unable to get YubiRADIUS to authenticate to an LDAP server over SSL. The certificate is self-signed. I've tried placing CA/Server certs in /etc/ssl/certs.

I can connect to the LDAPS server using JXplorer (with a certificate warning).

Everything works using plain LDAP.

My guess is the BACKEND_ERROR in auth.log indicates an SSL connection issue. Any ideas?

Obfuscated error messages/logs below...

Users Import
LDAP Server Address: 172.16.X.X
LDAP Version: 3
Base DN: dc=example,dc=com
User DN: cn=admin,dc=example,dc=com
Password: PASSWORD
Filter: (objectClass=person)
Login Name Identifier: uid

----

When LDAP (389) is configured under Users Import:

RadTest Response:

Sending Access-Request of id 47 to 127.0.0.1 port 1812
User-Name = "ldap_user"
User-Password = "PASSWORDcccccccjeuhvgtrrfufuflnjbnnbgcukhtcevlvincee"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=47, length=20

/var/log/auth.log

Nov 12 12:13:48 yrva31 pam_yubiserver.py[2263]: Validation result for user ldap_user : OK

=======

When LDAPS (636) is configured under Users Import:
----
RadTest Response:

Sending Access-Request of id 128 to 127.0.0.1 port 1812
User-Name = "ldap_user"
User-Password = "PASSWORDcccccccjeuhvublehbvbkrjverbtriftddngbufivjnb"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=128, length=20
----
/var/log/auth.log

Nov 12 11:56:26 yrva31 pam_yubiserver.py[2263]: Validation result for user ldap_user : BACKEND_ERROR

----


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Nov 21, 2011 3:39 am 
Offline

Joined: Sat Nov 12, 2011 8:15 am
Posts: 2
Some additional information...

Under Users Import -> User Import Configuration Management

If YubiRADIUS is configured to use a secure connection it is possible to import users, but Radtest and external radius authentication fail until the setting is reverted to an unsecured connection.

To validate that user import was actually occurring over LDAPS, I disabled plain LDAP on the external LDAP server and validated that only LDAPS was running. It is still possible to import users. Radtest and external radius authentication continue to fail. Re-enabling LDAP on the external server and setting YubiRADIUS to not use secure authentication allow Radtest and external radius authentication to succeed.

So, I guess I should rephrase my question: Has anyone used YubiRADIUS to successfully authenticate against an external LDAPS server? If so, would you mind sharing what steps were required?


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 22, 2012 4:06 am 
Offline

Joined: Thu Mar 22, 2012 4:02 am
Posts: 1
Hi

For all these self-signing issues I usually fall back to stunnel.

The following configuration (/etc/stunnel/stunnel.conf typically on Linux) will enable you to have your LDAP client connect to localhost on 389 and stunnel will take care of the LDAPS trunking to your desintation. Check "http://www.stunnel.org/?page=howto" at http://www.stunnel.org/?page=howto for how to turn on SSL cert validation if you need it.

Code:
client = yes

[ldap]
accept = 127.0.0.1:389
connect = target.ldaps.server.com:636


JC


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 19, 2012 12:46 pm 
Offline

Joined: Wed Apr 04, 2012 2:12 pm
Posts: 6
Hi,
I seem to have a simillar problem. Did you manage to solve it?


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 23, 2012 2:14 pm 
Offline

Joined: Wed Apr 04, 2012 2:12 pm
Posts: 6
So it turned out it was a problem with gnuTLS i debian with self-sgined certs.
Bug desc. here:https://bugs.launchpad.net/ubuntu/+source/gnutls13/+bug/397636

What I did was to disable certificate check in /etc/ldap.conf option TLS_REQCERT


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group