ldap tls in freeradius
Frank Skovboel
fs at secu.dk
Sun Nov 6 12:37:30 CET 2011
----- Original Message -----
> From: "Alan Buxey" <A.L.M.Buxey at lboro.ac.uk>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Sent: Sunday, November 6, 2011 10:59:43 AM
> Subject: Re: ldap tls in freeradius
>
> Hi,
>
> > tls {
> > start_tls = no
> >
> > cacertfile = /etc/raddb/certs/ca.pem
> > cacertdir = /etc/raddb/certs/
> > certfile = /etc/raddb/certs/server.crt
> > keyfile = /etc/raddb/certs/server.key
> > randfile = /etc/raddb/certs/random
> > require_cert = "never"
>
> are these certs for the LDAP connectin - or are these your main certs
> for the client connections - as the directory looks to be the same.
> ensure you have seperate config for your RADIUS<->LDAP connection...
>
> is the CRT file PEM readable? - ie use openssl tool to check your
> cert
The snippet above is from the ldap setup.
I do not expect to use EAP, so the certs are only to connect to the ldap servers. I'm new to openssl, but I did manage to find the syntax for reading the PEM crt file with -noout -text, and it give me the certificate data.
The directory that I pointed to were the one that bootstrap automatically created. Do I need to create new certificates for the ldap lookup (if so is there a guide some where)?
What is required (eg. key = values etc) in order to do a secure LDAP lookup in a remote AD. I would also like (for testing) to ensure that the ldap lookup does not try to validate the ldap server certificate I assume that "require_cert" does this for me?
--
Thanks,
Frank
More information about the Freeradius-Users
mailing list