On 10 Apr 2015, at 09:16, Michael Ströder <michael@stroeder.com> wrote:
Brian Boere wrote:
Chris, I have added the "edir = yes" (also found some information about also adding edir_autz = yes) and it did not make a difference.
AFAIK edir = yes uses a Novell-specific LDAP extended operation for extracting the Universal Password from eDirectory as clear-text.
Correct
Not sure whether your security policy allows that. Personally I'd recommend not to use it. But that's me.
It's needed for PEAP
Special admin rights are needed in eDirectory for the FreeRADIUS system user to be allowed to do that.
IIRC you also must use an encrypted LDAP connection (LDAPS or StartTLS ext op.) when using this particular LDAP extended operation. That's probably what Christopher meant with "Modify the port you connect to eDirectory [..]".
You might have to prefix the hostname with ldaps:// at least you do in v3.0.x, just setting the port to 636 means that libldap will attempt to connect using unencrypted LDAP to the ldaps port, which is expecting a TLS session to be established. ldap != tls so it won't work. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2