Thanks. So key-file-password do not set in radiusd.conf/rlm_ldap section. I still donot know how to configure key-password in Openldap, Where I can get any document or Wiki ? Thanks. John. "Ranner, Frank MR" <Frank.Ranner@defence.gov.au> 写道: Yes. eap.conf is part of radiusd.conf. But I can not find a variable to set key-file-password in rlm_ldap section. # Lightweight Directory Access Protocol (LDAP) ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" So use openssl to remove the password from the key and put the key in a secure directory. The key itself should have 400 permissions and be owned by the ldap user. What's the problem? Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- 雅虎邮箱,终生伙伴!