UNCLASSIFIED -----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Sebastian Heil Sent: Wednesday, 30 January 2008 20:08 To: FreeRadius users mailing list Subject: Re: deactivate ldap.attrmap Hello again,
Sebastian Heil wrote:
Is there a way to deactivate the ldap.attrmap file?
Edit the source code & re-compile.
Maybe i will try it... never done before... :-) thanks anyway. i have got another problem. since the authentication via ldap works now quite ok, i would like to try ldaps together with edirectory. what do i have to configure? i already imported the root certificate and configured the tls-section of the ldap-section like this: tls { start_tls = yes cacertfile = /etc/raddb/certs/tc_class2.pem require_cert = "demand" } but i doesn't work like this... i added the following lines to the ldap-section: port = 636 tls_mode = yes tls_require_cert = demand and i doesn't work either... part of the debug: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ************:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/tc_class2.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Any ideas? Thanks. Sebastian I have seen the later comments in the thread, but I think the problem is that you need to choose whether to use tls or ssl. If you use tls, you should connect to port 389 and issue start-tls. If you use ssl you connect to 636 and don't do start-tls. Doing both, ie connect to 636 and issue start-tls is probably a bad thing. Another this you could try is to ark up an openldap server on a linux box. You can run the server with debugging switched on and see the entire certificate negotiation from the servers point of view. Regards, Frankl Ranner