[ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random
This is a logging bug in FreeRADIUS; the code seems to have been copy & pasted. It *is* setting the randfile option, but it's logging the wrong thing (key file). It can be ignored.
Okay thank you.
[ldap_CustA] bind as user@domain.local/PASSWORD to 193.47.81.75:636 TLS: could not add the certificate PEM Token #0:server.crt - 0 - error -8192:Unknown code ___f 0. TLS: error: could not initialize moznss security context - error -8192:Unknown code ___f 0
Well that's a new one on me.
Which version of FreeRADIUS are you using, on which OS? Which LDAP libraries are you linking against?
I did not compile it, I used yum (CentOS) to install it. is there any way for me to see this?
I'm guessing you're on a RedHat based system, judging from the fact the LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under the hood?
yes it's CentOS.
Where did "server.crt" come from? I presume it's a copy of the LDAP server cert, signed by the CA in "ca.pem"? Do you need it? You can probably just give the CA cert, for a connection to an LDAP server.
They were all generated by bootstrap as part of the default installation. I'll try with only giving he cacertfile cacertdir when doing that it I get the following (sanitized): [ldap_CustA] setting TLS mode to 1 [ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem [ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/ [ldap_CustA] setting TLS Require Cert to never [ldap_CustA] bind as MyUser@domain.local/MyPassword to 193.47.81.75:636 TLS: certificate [CN=server.domain.local] is not valid - CA cert is not valid TLS: certificate [CN=server.domain.local] is not valid - error -8102:Unknown code ___f 90. TLS: certificate [CN=server.domain.local] is not valid - error -8172:Unknown code ___f 20. TLS: error: connect - force handshake failure: errno 0 - moznss error -8157 TLS: can't connect: TLS error -8157:Unknown code ___f 35. [ldap_CustA] MyUser@domain.local bind to 1.1.1.1:636 failed: Can't contact LDAP server [ldap_CustA] (re)connection attempt failed If I'm reading that correctly the certificates in the AD is not setup right? -- Thanks, Frank