ldap tls in freeradius
fs at secu.dk
Sun Nov 6 12:46:23 CET 2011
> > [ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key
> > [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random
> This is a logging bug in FreeRADIUS; the code seems to have been copy
> pasted. It *is* setting the randfile option, but it's logging the
> thing (key file). It can be ignored.
Okay thank you.
> > [ldap_CustA] bind as user at domain.local/PASSWORD to 188.8.131.52:636
> > TLS: could not add the certificate PEM Token #0:server.crt - 0 -
> > error
> > -8192:Unknown code ___f 0.
> > TLS: error: could not initialize moznss security context - error
> > -8192:Unknown code ___f 0
> Well that's a new one on me.
> Which version of FreeRADIUS are you using, on which OS? Which LDAP
> libraries are you linking against?
I did not compile it, I used yum (CentOS) to install it. is there any way for me to see this?
> I'm guessing you're on a RedHat based system, judging from the fact
> LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under
> the hood?
yes it's CentOS.
> Where did "server.crt" come from? I presume it's a copy of the LDAP
> server cert, signed by the CA in "ca.pem"? Do you need it? You can
> probably just give the CA cert, for a connection to an LDAP server.
They were all generated by bootstrap as part of the default installation.
I'll try with only giving he cacertfile cacertdir
when doing that it I get the following (sanitized):
[ldap_CustA] setting TLS mode to 1
[ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem
[ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/
[ldap_CustA] setting TLS Require Cert to never
[ldap_CustA] bind as MyUser at domain.local/MyPassword to 184.108.40.206:636
TLS: certificate [CN=server.domain.local] is not valid - CA cert is not valid
TLS: certificate [CN=server.domain.local] is not valid - error -8102:Unknown code ___f 90.
TLS: certificate [CN=server.domain.local] is not valid - error -8172:Unknown code ___f 20.
TLS: error: connect - force handshake failure: errno 0 - moznss error -8157
TLS: can't connect: TLS error -8157:Unknown code ___f 35.
[ldap_CustA] MyUser at domain.local bind to 220.127.116.11:636 failed: Can't contact LDAP server
[ldap_CustA] (re)connection attempt failed
If I'm reading that correctly the certificates in the AD is not setup right?
More information about the Freeradius-Users