Peter Param a écrit :
it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389
use start_tls=no fails also, Maybe but keep it to no
it seems to have a problem with the cert and/or cert directory:
rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success
?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg09575.html (but this is a rather old post)
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
------------------ cacertfile = /etc/openssl/certs/SVMHS_CA_SSL_Server.cer ----------------- The doc states that tls_cacertfile is a a PEM-encoded file: I think your CAcert is a DER encoded one (extension.cer usually is). ----------- cacertdir = /etc/openssl/certs/ ----------- The doc states that tls_cacertdir is in "hash format" (see openssl verify) Also check that the directory and files are accessible/readable by the user running the radius server. My 2 cents,...