Thx It's works. But I have another question: -In freeradius log (freeradius -XXX -A) i see my password from ldap server, how i can crypt that password ? BR Kamyk On Dec 4, 2006, at 1:57 PM, Thibault Le Meur wrote:
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de Rafa³ Kamiñski Envoyé : lundi 4 décembre 2006 13:28 À : freeradius-users@lists.freeradius.org Objet : FreeRadius + Ldap + TLS/SSL
When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :(
I have in radiusd.conf:
server = "ldap" port = 636 #port = 389 ... filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no
This last line is ok: it will ask not to try Start-TLS connection.
# tls_cacertfile = /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/
tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/
Why do you have both tls_cacertfile and tls_cacertdir ?
# tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key
tls_certfile and tls_keyfile are used to make the radius server authenticate itself to the ldap server. This is not mandatory, if you're not willing to authenticate the radius server to the ldap server, then you can ommit these two lines.
However, if you are trying to authenticate the radius server to the ldap server with certificates, then check that the CA that has signed the radius' certificate is known by the ldap server.
#tls_mode = yes
Argh... I think you have to uncomment this line.
HTH, Thibault
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html