回复： Re: freeRADIUS + Openldap with TLS [sec=unclassified]

[Hangjun He]

Thanks.
   
  So key-file-password do not set in radiusd.conf/rlm_ldap section.
  I still donot know how to configure key-password in Openldap, Where I can get any document or Wiki ? Thanks.
   
  John.
   
  
"Ranner, Frank MR" <Frank.Ranner at defence.gov.au> 写道：
  Yes. eap.conf is part of radiusd.conf.
But I can not find a variable to set key-file-password in
rlm_ldap section.


# Lightweight Directory Access Protocol (LDAP)
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"


So use openssl to remove the password from the key and put the key in a
secure directory. The key itself should have 400 permissions and be
owned
by the ldap user. What's the problem?

Regards, 
Frank Ranner


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


       
---------------------------------
雅虎邮箱，终生伙伴！ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071030/b8b1f794/attachment.html>