deactivate ldap.attrmap [SEC=UNCLASSIFIED]
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Fri Feb 1 02:04:41 CET 2008
UNCLASSIFIED
-----Original Message-----
From:
freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
g
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
adius.org] On Behalf Of Sebastian Heil
Sent: Wednesday, 30 January 2008 20:08
To: FreeRadius users mailing list
Subject: Re: deactivate ldap.attrmap
Hello again,
> Sebastian Heil wrote:
> > Is there a way to deactivate the ldap.attrmap file?
>
> Edit the source code & re-compile.
>
Maybe i will try it... never done before... :-) thanks anyway.
i have got another problem. since the authentication via ldap works now
quite ok, i would like to try ldaps together with edirectory.
what do i have to configure?
i already imported the root certificate and configured the tls-section
of the ldap-section like this:
tls {
start_tls = yes
cacertfile = /etc/raddb/certs/tc_class2.pem
require_cert = "demand"
}
but i doesn't work like this...
i added the following lines to the ldap-section:
port = 636
tls_mode = yes
tls_require_cert = demand
and i doesn't work either...
part of the debug:
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ************:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/tc_class2.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
Any ideas?
Thanks.
Sebastian
I have seen the later comments in the thread, but I think the problem is
that you need to choose whether to use tls or ssl. If you use tls, you
should connect to port 389 and issue start-tls. If you use ssl you
connect to 636 and don't do start-tls. Doing both, ie connect to 636 and
issue start-tls is probably a bad thing.
Another this you could try is to ark up an openldap server on a linux
box. You can run the server with debugging switched on and see the
entire certificate negotiation from the servers point of view.
Regards,
Frankl Ranner
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: EXTNDATT.TXT
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080201/878e1c94/attachment.ksh>
More information about the Freeradius-Users
mailing list