LDAP Module: problem with starttls

[kokel]

FR3: starttls problem with ldap module

Environment:

Machine1:

• LDAP Master Server (OpenLDAP)

Machine2:

• OpenLDAP configured for syncrepl (read-only)
• FreeRADIUS 3.0.1 (git #afecb13)
• ldap module configured for connecting to local ldap server

Machine3:

• OpenLDAP configured for syncrepl (read-only)
• FreeRADIUS 2.1.12 (from official centos repo)
• ldap module configured for connecting to local ldap server

The OpenLDAP Servers on all machines uses certificates issued from the same CA (used for syncrepl over TLS). For certificate verification the same CA certificate file is used.

Problem description:

On machine 2 FR3 can't connect to ldap server via starttls. The TLS handshake fails with error message "Unknown CA (48)".

But the TLS handshake succeeds for openldap operations for syncrepl purposes, for ldap client utilities as well as the ldap module connect of the FreeRADIUS Server 2.1.12 on Machine3.

I have configured the FR ldap module on Machine3 to connect to the ldap server on Machine2 and this succeeds as well. This let me assume that my certificates are set up properly and the problem might be related to the ldap module of FR3.

Please let me know if more information is needed. I have created one packet trace which shows the errror mentioned above as well as one packet trace with a successful connect from FR2 on Machine3 to OpenLDAP on Machine2. I would prefer to send this privately to you, if needed. Github only allows images.

Kind regards,
Tobias Hachmer

[arr2036]

Ok, just to let you know i've reproduced this locally:

rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to shinyhead-ubuntu.local:389
rlm_ldap (ldap): Could not start TLS: Connect error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/usr/local/freeradius/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

Took a while because OpenLDAP kept crashing on:

replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2

nice...

[arr2036]

OK Fixed by #1e4ea8800cab78272ce3a7d1855e49d56db95263

I also fixed libldap debug output, apparently that option needs to be set in the global context (also not documented).

When using per connection handle TLS contexts they need to be set after all the TLS configuration options, which is slightly counter intuitive. Note that this was not mentioned anywhere in the libldap documentation, I just discovered it by trial and error.

Anyway, if you use the latest version of either of the branches it should now work.

[kokel]

Hello Arran,
thank you for the fix. Today I've built current git state from branch v3.0.x and the ldap attribute mapping fails.
This attributes I have mapped:

    update {
            reply:Idle-Timeout              := 'radiusIdleTimeout'
            reply:Session-Timeout           := 'radiusSessionTimeout'
            reply:Service-Type              := 'radiusServiceType'
            request:Simultaneous-Use        := 'radiusSimultaneousUse'
            request:Expiration              := 'radiusExpiration'
            control:Auth-Type               := 'radiusAuthType'
    }

Error from debug output:
/etc/raddb/mods-enabled/ldap[63]: Unknown value 'radiusIdleTimeout' for attribute 'Idle-Timeout'

When I comment out the mappings radiusd runs fine and can connect to ldap via starttls, yeah!

Regards,
Tobias Hachmer