ldap tls in freeradius
A.L.M.Buxey at lboro.ac.uk
Sun Nov 6 13:50:41 CET 2011
> I do not expect to use EAP, so the certs are only to connect to the ldap servers. I'm new to openssl, but I did manage to find the syntax for reading the PEM crt file with -noout -text, and it give me the certificate data.
> The directory that I pointed to were the one that bootstrap automatically created. Do I need to create new certificates for the ldap lookup (if so is there a guide some where)?
err, yes. those certs made by bootstrap are SSL certs for the EAP part of
the server - for clients to talk to your RADIUS server.
for you to use LDAP with TLS, you will need to get a copy of the CA file
for the CA that signs your LDAP server.... you can then also get a copy
of the LDAP cert if you wish to set it - though I think that can be automatically
provisioned in the TLS setup should you not wish to be paranoid
> What is required (eg. key = values etc) in order to do a secure LDAP lookup in a remote AD. I would also like (for testing) to ensure that the ldap lookup does not try to validate the ldap server certificate I assume that "require_cert" does this for me?
as above...get a copy of the CA file that signs the LDAP/AD server and get
a copy of the LDAP server cert. the stuff you've configured is for EAP server
More information about the Freeradius-Users