Hola<BR><BR><B><I>freeradius-users-request@lists.freeradius.org</I></B> wrote: <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Send Freeradius-Users mailing list submissions to<BR>freeradius-users@lists.freeradius.org<BR><BR>To subscribe or unsubscribe via the World Wide Web, visit<BR>http://lists.freeradius.org/mailman/listinfo/freeradius-users<BR>or, via email, send a message with subject or body 'help' to<BR>freeradius-users-request@lists.freeradius.org<BR><BR>You can reach the person managing the list at<BR>freeradius-users-owner@lists.freeradius.org<BR><BR>When replying, please edit your Subject line so it is more specific<BR>than "Re: Contents of Freeradius-Users digest..."<BR><BR><BR>Today's Topics:<BR><BR>1. Re: SSL certificate problems (Walter Gould)<BR>2. Re: web based admin (Peter Nixon)<BR>3. ??? Re: freeRADIUS + Openldap with TLS (Hangjun He)<BR>4. Re: freeRADIUS + Openldap with TLS
[sec=unclassified]<BR>(Ranner, Frank MR)<BR>5. ??? Re: freeRADIUS + Openldap with TLS [sec=unclassified]<BR>(Hangjun He)<BR><BR><BR>----------------------------------------------------------------------<BR><BR>Message: 1<BR>Date: Mon, 29 Oct 2007 10:50:17 -0600<BR>From: Walter Gould <GOULDWP@AUBURN.EDU><BR>Subject: Re: SSL certificate problems<BR>To: FreeRadius users mailing list<BR><FREERADIUS-USERS@LISTS.FREERADIUS.ORG><BR>Message-ID: <47260F49.8020909@auburn.edu><BR>Content-Type: text/plain; charset=ISO-8859-1; format=flowed<BR><BR>Alan DeKok wrote:<BR>> Walter Gould wrote:<BR>> <BR>>> I am following the document "FreeRADIUS Active Directory Integration<BR>>> HOWTO" from the freeradius Wiki. I am having problems with creating<BR>>> SSL certificates. When I follow the instructions at the bottom of this<BR>>> doc and run the CA.all script, I see the following errors:<BR>>> <BR>><BR>> Ugh.<BR>><BR>> Download CVS head
(see the web page for CVS instructions).<BR>><BR>> $ cd raddb/certs<BR>> $ vi *.cnf ca.cnf, server.cnf to set your local parameters<BR>> $ ./bootstrap<BR>><BR>> And you will have certificates than can be used in 1.1.x.<BR>><BR>> Alan DeKok.<BR>> -<BR>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR>> <BR>Alan & list,<BR><BR>Sorry to bother you guys again - I created new SSL certificates per <BR>your above instructions... After the certs were created, I then:<BR><BR>1. copied them to the /etc/raddb/certs directory<BR>2. updated /etc/raddb/eap.conf with the certificate names & private key <BR>password<BR>3. copied and installed the new certificate (server.pem) onto my XP <BR>laptop and<BR>4. started radiusd in debug mode, below is the output<BR><BR>It is acting as you describe in the FAQ -<BR><BR>"the client sends a series of Access-Request messages, the server sends <BR>an series of Access-Challenge
responses, and then... nothing happens. <BR>After a little wait, it all starts again."<BR><BR>So, I am wondering will I need to install the hotfix as listed in the <BR>FAQ - and, will this have to be done on ALL Windows machines? I am <BR>thinking that I still do not have something configured right on my <BR>side. If I uncheck the "validate server certs" box on the XP client, I <BR>can connect and authenticate successfully.<BR><BR>Thanks again -<BR>Walter<BR><BR><BR>Starting - reading configuration files ...<BR>reread_config: reading radiusd.conf<BR>Config: including file: /etc/raddb/proxy.conf<BR>Config: including file: /etc/raddb/clients.conf<BR>Config: including file: /etc/raddb/snmp.conf<BR>Config: including file: /etc/raddb/eap.conf<BR>main: prefix = "/usr"<BR>main: localstatedir = "/var"<BR>main: logdir = "/var/log/radius"<BR>main: libdir = "/usr/lib"<BR>main: radacctdir = "/var/log/radius/radacct"<BR>main: hostname_lookups = no<BR>main: snmp = no<BR>main:
max_request_time = 30<BR>main: cleanup_delay = 5<BR>main: max_requests = 1024<BR>main: delete_blocked_requests = 0<BR>main: port = 0<BR>main: allow_core_dumps = no<BR>main: log_stripped_names = no<BR>main: log_file = "/var/log/radius/radius.log"<BR>main: log_auth = yes<BR>main: log_auth_badpass = no<BR>main: log_auth_goodpass = no<BR>main: pidfile = "/var/run/radiusd/radiusd.pid"<BR>main: user = "radiusd"<BR>main: group = "radiusd"<BR>main: usercollide = no<BR>main: lower_user = "no"<BR>main: lower_pass = "no"<BR>main: nospace_user = "no"<BR>main: nospace_pass = "no"<BR>main: checkrad = "/usr/sbin/checkrad"<BR>main: proxy_requests = yes<BR>proxy: retry_delay = 5<BR>proxy: retry_count = 3<BR>proxy: synchronous = no<BR>proxy: default_fallback = yes<BR>proxy: dead_time = 120<BR>proxy: post_proxy_authorize = no<BR>proxy: wake_all_if_all_dead = no<BR>security: max_attributes = 200<BR>security: reject_delay = 1<BR>security: status_server = no<BR>main: debug_level =
0<BR>read_config_files: reading dictionary<BR>read_config_files: reading naslist<BR>Using deprecated naslist file. Support for this will go away soon.<BR>read_config_files: reading clients<BR>read_config_files: reading realms<BR>radiusd: entering modules setup<BR>Module: Library search path is /usr/lib<BR>Module: Loaded exec<BR>exec: wait = yes<BR>exec: program = "(null)"<BR>exec: input_pairs = "request"<BR>exec: output_pairs = "(null)"<BR>exec: packet_type = "(null)"<BR>rlm_exec: Wait=yes but no output defined. Did you mean output=none?<BR>Module: Instantiated exec (exec)<BR>Module: Loaded expr<BR>Module: Instantiated expr (expr)<BR>Module: Loaded MS-CHAP<BR>mschap: use_mppe = yes<BR>mschap: require_encryption = no<BR>mschap: require_strong = no<BR>mschap: with_ntdomain_hack = yes<BR>mschap: passwd = "(null)"<BR>mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key <BR>--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
<BR>--nt-response=%{mschap:NT-Response:-00}"<BR>Module: Instantiated mschap (mschap)<BR>Module: Loaded eap<BR>eap: default_eap_type = "peap"<BR>eap: timer_expire = 60<BR>eap: ignore_unknown_eap_types = no<BR>eap: cisco_accounting_username_bug = no<BR>tls: rsa_key_exchange = no<BR>tls: dh_key_exchange = yes<BR>tls: rsa_key_length = 512<BR>tls: dh_key_length = 512<BR>tls: verify_depth = 0<BR>tls: CA_path = "(null)"<BR>tls: pem_file_type = yes<BR>tls: private_key_file = "/etc/raddb/certs/server.pem"<BR>tls: certificate_file = "/etc/raddb/certs/server.pem"<BR>tls: CA_file = "/etc/raddb/certs/ca.pem"<BR>tls: private_key_password = "whatever"<BR>tls: dh_file = "/etc/raddb/certs/dh"<BR>tls: random_file = "/etc/raddb/certs/random"<BR>tls: fragment_size = 1024<BR>tls: include_length = yes<BR>tls: check_crl = no<BR>tls: check_cert_cn = "(null)"<BR>tls: cipher_list = "DEFAULT"<BR>tls: check_cert_issuer = "(null)"<BR>rlm_eap_tls: Loading the certificate file as a chain<BR>rlm_eap:
Loaded and initialized type tls<BR>peap: default_eap_type = "mschapv2"<BR>peap: copy_request_to_tunnel = no<BR>peap: use_tunneled_reply = no<BR>peap: proxy_tunneled_request_as_eap = yes<BR>rlm_eap: Loaded and initialized type peap<BR>mschapv2: with_ntdomain_hack = no<BR>rlm_eap: Loaded and initialized type mschapv2<BR>Module: Instantiated eap (eap)<BR>Module: Loaded preprocess<BR>preprocess: huntgroups = "/etc/raddb/huntgroups"<BR>preprocess: hints = "/etc/raddb/hints"<BR>preprocess: with_ascend_hack = no<BR>preprocess: ascend_channels_per_line = 23<BR>preprocess: with_ntdomain_hack = no<BR>preprocess: with_specialix_jetstream_hack = no<BR>preprocess: with_cisco_vsa_hack = no<BR>preprocess: with_alvarion_vsa_hack = no<BR>Module: Instantiated preprocess (preprocess)<BR>Module: Loaded CHAP<BR>Module: Instantiated chap (chap)<BR>Module: Loaded realm<BR>realm: format = "suffix"<BR>realm: delimiter = "@"<BR>realm: ignore_default = no<BR>realm: ignore_null = no<BR>Module:
Instantiated realm (suffix)<BR>Module: Loaded files<BR>files: usersfile = "/etc/raddb/users"<BR>files: acctusersfile = "/etc/raddb/acct_users"<BR>files: preproxy_usersfile = "/etc/raddb/preproxy_users"<BR>files: compat = "no"<BR>Module: Instantiated files (files)<BR>Module: Loaded Acct-Unique-Session-Id<BR>acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, <BR>Client-IP-Address, NAS-Port"<BR>Module: Instantiated acct_unique (acct_unique)<BR>Module: Loaded detail<BR>detail: detailfile = <BR>"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<BR>detail: detailperm = 384<BR>detail: dirperm = 493<BR>detail: locking = no<BR>Module: Instantiated detail (detail)<BR>Module: Loaded System<BR>unix: cache = no<BR>unix: passwd = "(null)"<BR>unix: shadow = "/etc/shadow"<BR>unix: group = "(null)"<BR>unix: radwtmp = "/var/log/radius/radwtmp"<BR>unix: usegroup = no<BR>unix: cache_reload = 600<BR>Module: Instantiated unix (unix)<BR>Module: Loaded radutmp<BR>radutmp:
filename = "/var/log/radius/radutmp"<BR>radutmp: username = "%{User-Name}"<BR>radutmp: case_sensitive = yes<BR>radutmp: check_with_nas = yes<BR>radutmp: perm = 384<BR>radutmp: callerid = yes<BR>Module: Instantiated radutmp (radutmp)<BR>Listening on authentication *:1812<BR>Listening on accounting *:1813<BR>Ready to process requests.<BR><BR>rad_recv: Access-Request packet from host 131.204.xx.xx:1645, id=60, <BR>length=221<BR>User-Name = "testuser"<BR>Framed-MTU = 1400<BR>Called-Station-Id = "0011.2059.66f0"<BR>Calling-Station-Id = "0016.ce3a.fe00"<BR>Service-Type = Login-User<BR>Message-Authenticator = 0xfa42a088611ca8553c138461a5e37da9<BR>EAP-Message = <BR>0x0203005019800000004616030100410100003d03014725fcbbd1cb646792d9608deda83403db296d7cd4d986561c01f5831c20acc500001600040005000a000900640062000300060013001200630100<BR>NAS-Port-Type = Wireless-802.11<BR>NAS-Port = 1409<BR>State = 0x727730e02c5807c72421f7f8e37c09ef<BR>NAS-IP-Address = 131.204.xx.xx<BR>NAS-Identifier =
"RadiusTest"<BR>Processing the authorize section of radiusd.conf<BR>modcall: entering group authorize for request 1<BR>modcall[authorize]: module "preprocess" returns ok for request 1<BR>modcall[authorize]: module "chap" returns noop for request 1<BR>modcall[authorize]: module "mschap" returns noop for request 1<BR>rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL<BR>rlm_realm: No such realm "NULL"<BR>modcall[authorize]: module "suffix" returns noop for request 1<BR>rlm_eap: EAP packet type response id 3 length 80<BR>rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>modcall[authorize]: module "eap" returns updated for request 1<BR>modcall[authorize]: module "files" returns notfound for request 1<BR>modcall: leaving group authorize (returns updated) for request 1<BR>rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request
1<BR>rlm_eap: Request found, released from the list<BR>rlm_eap: EAP/peap<BR>rlm_eap: processing type peap<BR>rlm_eap_peap: Authenticate<BR>rlm_eap_tls: processing TLS<BR>rlm_eap_tls: Length Included<BR>eaptls_verify returned 11<BR>(other): before/accept initialization<BR>TLS_accept: before/accept initialization<BR>rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello<BR>TLS_accept: SSLv3 read client hello A<BR>rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello<BR>TLS_accept: SSLv3 write server hello A<BR>rlm_eap_tls: >>> TLS 1.0 Handshake [length 079c], Certificate<BR>TLS_accept: SSLv3 write certificate A<BR>rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<BR>TLS_accept: SSLv3 write server done A<BR>TLS_accept: SSLv3 flush data<BR>TLS_accept:error in SSLv3 read client certificate A<BR>rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)<BR>In SSL Handshake Phase<BR>In SSL Accept
mode<BR>eaptls_process returned 13<BR>rlm_eap_peap: EAPTLS_HANDLED<BR>modcall[authenticate]: module "eap" returns handled for request 1<BR>modcall: leaving group authenticate (returns handled) for request 1<BR>Sending Access-Challenge of id 60 to 131.204.xx.xx port 1645<BR>EAP-Message = <BR>0x0104040a19c0000007f9160301004a0200004603014725fd713883c033611cb8b22760eadd8dc008b3777cee4deeb42e53a23e662c203b8004b2a236f218a339af08991fe4da34e9a6afbdf745661c23ec631dd524d6000400160301079c0b0007980007950003bd308203b9308202a1a003020102020101300d06092a864886f70d01010405003081a8310b30090603550406130255533110300e06035504081307416c6162616d61311a30180603550407131141756275726e20556e69766572736974793120301e060355040a13174f4954202d2041756275726e20556e69766572736974793121301f06092a864886f70d0109011612676f756c64<BR>EAP-Message =
<BR>0x77704061756275726e2e656475312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3037313032363138343132335a170d3038313032353138343132335a307e310b30090603550406130255533110300e06035504081307416c6162616d613120301e060355040a13174f4954202d2041756275726e20556e6976657273697479311830160603550403130f726164322e61756275726e2e6564753121301f06092a864886f70d0109011612676f756c6477704061756275726e2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100cce2a7fd4a1386<BR>EAP-Message =
<BR>0xfc43465e2bdba907a0d05c91d17eddb51fde1e39d67ac9253e45d03b5a1d726807f29a41b4ffd828fd4a6a68ae665f1d23ff5ee598ed1c9733a5dc52e149a884d0683b09d90626c47e1346882b4a3758062bfbc81d11014cafdd8ae5fe5b6fbbf2f0cdbe876c626436c3c596b09a179763a3a67d5876dae7ec67bc7df8c61d9307a46597d0cd673673b1b614badfa12eb3fc44c3f9aaa29a355d8e0bf01e386616ee92b8d1a4e97d58a3ef509b08cc1e20390631cf6d744f7c76ffc560388f152c2e4e6eddd46c114f9e06711f04e9efc62138b7b37f13585063d3dcfd5c769a41c37927b033bbb8131904039cc7a611c4510b280b2b36bdbf02030100<BR>EAP-Message =
<BR>0x01a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010074cb061838250e4537f80ee16b67a74169886627eae00e18f6a7e8f3e72350d94f286b0599abd0fbd9748b70e2b3d9d044ff342a8f77de5fa4b0b227fc3c453b624d48840b9f2637280592ac20c1a5697a23eb72af6b3fe9ca0ca7bdd7f44a9eb98b8844677107006919a9c7131deca44312d1897c3091564ff915e3f688231ba6207a77e824c3225b3b7e46e1d19d5e4cd7106fcc5a26a0ae848083af27b415d7c419f6d5ecab383d015148f51464464efc8fc248e02a3c341f2011b476100c25c61b18878b7f8b29923bbf6f1cfb<BR>EAP-Message = 0x8af640e1e0303b4951607ff084645a1042980ebec1af<BR>Message-Authenticator = 0x00000000000000000000000000000000<BR>State = 0x91c30afa94d34c8fd79ff73e842f10d2<BR>Finished request 1<BR>Going to the next request<BR>Waking up in 6 seconds...<BR><BR><BR><BR><BR>------------------------------<BR><BR>Message: 2<BR>Date: Mon, 29 Oct 2007 20:19:09 +0200<BR>From: Peter Nixon <LISTUSER@PETERNIXON.NET><BR>Subject: Re: web based admin<BR>To: FreeRadius users mailing
list<BR><FREERADIUS-USERS@LISTS.FREERADIUS.ORG><BR>Message-ID: <200710292019.09827.listuser@peternixon.net><BR>Content-Type: text/plain; charset="iso-8859-1"<BR><BR>On Mon 29 Oct 2007, Hawkins, Michael wrote:<BR>> Peter,<BR>><BR>> Yes, I was comparing TACACS+ to RADIUS - my mistake.<BR>><BR>> Any recommendations on the most appropriate web front end for FreeRadius<BR>> when managing a Cisco network that is pointing at a FreeRadius AAA<BR>> server?<BR><BR>It kind of depends on your backend to be honest. If you use an LDAP backend <BR>phpLDAPadmin is pretty good..<BR><BR>-- <BR><BR>Peter Nixon<BR>http://peternixon.net/<BR><BR><BR>------------------------------<BR><BR>Message: 3<BR>Date: Tue, 30 Oct 2007 10:38:35 +0800 (CST)<BR>From: Hangjun He <ELMERHE@YAHOO.COM.CN><BR>Subject: ??? Re: freeRADIUS + Openldap with TLS<BR>To: FreeRadius users mailing list<BR><FREERADIUS-USERS@LISTS.FREERADIUS.ORG><BR>Message-ID:
<163678.99683.qm@web15106.mail.cnb.yahoo.com><BR>Content-Type: text/plain; charset="gb2312"<BR><BR>Hi,<BR>Yes. eap.conf is part of radiusd.conf.<BR>But I can not find a variable to set key-file-password in rlm_ldap section.<BR><BR><BR># Lightweight Directory Access Protocol (LDAP)<BR>ldap {<BR>server = "ldap.your.domain"<BR># identity = "cn=admin,o=My Org,c=UA"<BR># password = mypass<BR>basedn = "o=My Org,c=UA"<BR>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<BR># base_filter = "(objectclass=radiusprofile)"<BR># set this to 'yes' to use TLS encrypted connections<BR># to the LDAP database by using the StartTLS extended<BR># operation.<BR># The StartTLS operation is supposed to be used with normal<BR># ldap connections instead of using ldaps (port 689) connections<BR>start_tls = no<BR># tls_cacertfile = /path/to/cacert.pem<BR># tls_cacertdir = /path/to/ca/dir/<BR># tls_certfile = /path/to/radius.crt<BR># tls_keyfile = /path/to/radius.key<BR># tls_randfile =
/path/to/rnd<BR># tls_require_cert = "demand"<BR># default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"<BR># profile_attribute = "radiusProfileDn"<BR>access_attr = "dialupAccess"<BR><BR>tnt@kalik.co.yu ???<BR>You already have. eap.conf is a part of radiusd.conf.<BR><BR>Ivan Kalik<BR>Kalik Informatika ISP<BR><BR><BR>Dana 29/10/2007, "Hangjun He" pi?:<BR><BR>>Hi,<BR>><BR>> I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.)<BR>><BR>> My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like "private_key_password" in eap.conf .<BR>><BR>> Thanks.<BR>> John<BR>><BR>><BR>>---------------------------------<BR>>??????????<BR>><BR><BR>-<BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR><BR><BR><BR>---------------------------------<BR>?????????? <BR>-------------- next part
--------------<BR>An HTML attachment was scrubbed...<BR>URL: <HTTPS: attachment-0001.html 3848c66f 20071030 attachments freeradius-users pipermail lists.freeradius.org><BR><BR>------------------------------<BR><BR>Message: 4<BR>Date: Tue, 30 Oct 2007 13:52:02 +1100<BR>From: "Ranner, Frank MR" <FRANK.RANNER@DEFENCE.GOV.AU><BR>Subject: Re: freeRADIUS + Openldap with TLS [sec=unclassified]<BR>To: "FreeRadius users mailing list"<BR><FREERADIUS-USERS@LISTS.FREERADIUS.ORG><BR>Message-ID:<BR><3497E314EE23D54EACE26B5CFFD8969802B56964@drnrxm01.drn.mil.au><BR>Content-Type: text/plain; charset="us-ascii"<BR><BR>Yes. eap.conf is part of radiusd.conf.<BR>But I can not find a variable to set key-file-password in<BR>rlm_ldap section.<BR><BR><BR># Lightweight Directory Access Protocol (LDAP)<BR>ldap {<BR>server = "ldap.your.domain"<BR># identity = "cn=admin,o=My Org,c=UA"<BR># password = mypass<BR>basedn = "o=My Org,c=UA"<BR>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<BR>#
base_filter = "(objectclass=radiusprofile)"<BR># set this to 'yes' to use TLS encrypted connections<BR># to the LDAP database by using the StartTLS extended<BR># operation.<BR># The StartTLS operation is supposed to be used with normal<BR># ldap connections instead of using ldaps (port 689)<BR>connections<BR>start_tls = no<BR># tls_cacertfile = /path/to/cacert.pem<BR># tls_cacertdir = /path/to/ca/dir/<BR># tls_certfile = /path/to/radius.crt<BR># tls_keyfile = /path/to/radius.key<BR># tls_randfile = /path/to/rnd<BR># tls_require_cert = "demand"<BR># default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"<BR># profile_attribute = "radiusProfileDn"<BR>access_attr = "dialupAccess"<BR><BR><BR>So use openssl to remove the password from the key and put the key in a<BR>secure directory. The key itself should have 400 permissions and be<BR>owned<BR>by the ldap user. What's the problem?<BR><BR>Regards, <BR>Frank
Ranner<BR><BR><BR><BR><BR>------------------------------<BR><BR>Message: 5<BR>Date: Tue, 30 Oct 2007 12:48:50 +0800 (CST)<BR>From: Hangjun He <ELMERHE@YAHOO.COM.CN><BR>Subject: ??? Re: freeRADIUS + Openldap with TLS [sec=unclassified]<BR>To: FreeRadius users mailing list<BR><FREERADIUS-USERS@LISTS.FREERADIUS.ORG><BR>Message-ID: <476711.12276.qm@web15108.mail.cnb.yahoo.com><BR>Content-Type: text/plain; charset="gb2312"<BR><BR>Thanks.<BR><BR>So key-file-password do not set in radiusd.conf/rlm_ldap section.<BR>I still donot know how to configure key-password in Openldap, Where I can get any document or Wiki ? Thanks.<BR><BR>John.<BR><BR><BR>"Ranner, Frank MR" <FRANK.RANNER@DEFENCE.GOV.AU>???<BR>Yes. eap.conf is part of radiusd.conf.<BR>But I can not find a variable to set key-file-password in<BR>rlm_ldap section.<BR><BR><BR># Lightweight Directory Access Protocol (LDAP)<BR>ldap {<BR>server = "ldap.your.domain"<BR># identity = "cn=admin,o=My Org,c=UA"<BR># password =
mypass<BR>basedn = "o=My Org,c=UA"<BR>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<BR># base_filter = "(objectclass=radiusprofile)"<BR># set this to 'yes' to use TLS encrypted connections<BR># to the LDAP database by using the StartTLS extended<BR># operation.<BR># The StartTLS operation is supposed to be used with normal<BR># ldap connections instead of using ldaps (port 689)<BR>connections<BR>start_tls = no<BR># tls_cacertfile = /path/to/cacert.pem<BR># tls_cacertdir = /path/to/ca/dir/<BR># tls_certfile = /path/to/radius.crt<BR># tls_keyfile = /path/to/radius.key<BR># tls_randfile = /path/to/rnd<BR># tls_require_cert = "demand"<BR># default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"<BR># profile_attribute = "radiusProfileDn"<BR>access_attr = "dialupAccess"<BR><BR><BR>So use openssl to remove the password from the key and put the key in a<BR>secure directory. The key itself should have 400 permissions and be<BR>owned<BR>by the ldap user. What's the
problem?<BR><BR>Regards, <BR>Frank Ranner<BR><BR><BR>-<BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR><BR><BR><BR>---------------------------------<BR>?????????? <BR>-------------- next part --------------<BR>An HTML attachment was scrubbed...<BR>URL: <HTTPS: 20071030 attachments freeradius-users pipermail lists.freeradius.org attachment.html b8b1f794><BR><BR>------------------------------<BR><BR><BR>=== message truncated ===</BLOCKQUOTE><BR><BR><BR><DIV><STRONG><EM><FONT face="times new roman"> CON CARIÑO</FONT></EM></STRONG></DIV>
<DIV><FONT face="times new roman"><EM><STRONG><U>MARIBEL HERNÁNDEZ LÓPEZ</U></STRONG></EM></FONT></DIV>
<DIV><FONT face="Times New Roman"><STRONG><EM> <IMG src="http://us.i1.yimg.com/us.yimg.com/i/mesg/tsmileys2/40.gif"></EM></STRONG></FONT></DIV><p> __________________________________________________<br>Do You Yahoo!?<br>Tired of spam? Yahoo! Mail has the best spam protection around <br>http://mail.yahoo.com