Issues getting SLES11 FreeRadius working with eDirectory

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Apr 10 15:35:50 CEST 2015


> On 10 Apr 2015, at 09:16, Michael Ströder <michael at stroeder.com> wrote:
> 
> Brian Boere wrote:
>> Chris, I have added the "edir = yes" (also found some information about
>> also adding edir_autz = yes) and it did not make a difference.
> 
> AFAIK edir = yes uses a Novell-specific LDAP extended operation for extracting the Universal Password from eDirectory as clear-text.

Correct

> Not sure whether your security policy allows that. Personally I'd recommend not to use it. But that's me.

It's needed for PEAP

> Special admin rights are needed in eDirectory for the FreeRADIUS system user to be allowed to do that.
> 
> IIRC you also must use an encrypted LDAP connection (LDAPS or StartTLS ext op.) when using this particular LDAP extended operation. That's probably what Christopher meant with "Modify the port you connect to eDirectory [..]".

You might have to prefix the hostname with ldaps:// at least you do in v3.0.x, just setting the port to 636 means that libldap will attempt to connect using unencrypted LDAP to the ldaps port, which is expecting a TLS session to be established. ldap != tls so it won't work.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150410/c2c1e734/attachment.sig>


More information about the Freeradius-Users mailing list