Hello I install freeradius on Debian Sarge machine. I have my user in ldap and I use that directory to auth. them. It's works. But when I want to use TLS in connections between radius and ldap, I have that error in radius log. rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ca.crt rlm_ldap: setting TLS CACert File to /etc/freeradius/cert/ rlm_ldap: setting TLS Require Cert to never rlm_ldap: setting TLS Cert File to /etc/freeradius/cert/radius.crt rlm_ldap: setting TLS Key File to /etc/freeradius/cert/radius.key rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :( I have in radiusd.conf: server = "ldap" port = 636 #port = 389 ... filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no # tls_cacertfile = /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/ tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/ # tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key #tls_mode = yes I read about SSL in freeradius and i thought that that conf. use SSL to connections with ldap, but i wrong ? Can somebody tell me how i can use SSL auth between ldap and freeradius ? BR. Kamyk
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de Rafa³ Kamiñski Envoyé : lundi 4 décembre 2006 13:28 À : freeradius-users@lists.freeradius.org Objet : FreeRadius + Ldap + TLS/SSL
When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :(
I have in radiusd.conf:
server = "ldap" port = 636 #port = 389 ... filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no
This last line is ok: it will ask not to try Start-TLS connection.
# tls_cacertfile = /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/
tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/
Why do you have both tls_cacertfile and tls_cacertdir ?
# tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key
tls_certfile and tls_keyfile are used to make the radius server authenticate itself to the ldap server. This is not mandatory, if you're not willing to authenticate the radius server to the ldap server, then you can ommit these two lines. However, if you are trying to authenticate the radius server to the ldap server with certificates, then check that the CA that has signed the radius' certificate is known by the ldap server.
#tls_mode = yes
Argh... I think you have to uncomment this line. HTH, Thibault
Thx It's works. But I have another question: -In freeradius log (freeradius -XXX -A) i see my password from ldap server, how i can crypt that password ? BR Kamyk On Dec 4, 2006, at 1:57 PM, Thibault Le Meur wrote:
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de Rafa³ Kamiñski Envoyé : lundi 4 décembre 2006 13:28 À : freeradius-users@lists.freeradius.org Objet : FreeRadius + Ldap + TLS/SSL
When i saw that error, i check ldap logs. My ldap is configure with SSL not a TLS. Now i have a problem with configure freeradius to work with SSL ldap not TLS ldap :(
I have in radiusd.conf:
server = "ldap" port = 636 #port = 389 ... filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" start_tls = no
This last line is ok: it will ask not to try Start-TLS connection.
# tls_cacertfile = /path/to/cacert.pem tls_cacertfile = /etc/freeradius/cert/ca.crt # tls_cacertdir = /path/to/ca/dir/
tls_cacertdir = /etc/freeradius/cert/ tls_cacertdir = /etc/freeradius/cert/
Why do you have both tls_cacertfile and tls_cacertdir ?
# tls_certfile = /path/to/radius.crt tls_certfile = /etc/freeradius/cert/radius.crt # tls_keyfile = /path/to/radius.key tls_keyfile = /etc/freeradius/cert/radius.key
tls_certfile and tls_keyfile are used to make the radius server authenticate itself to the ldap server. This is not mandatory, if you're not willing to authenticate the radius server to the ldap server, then you can ommit these two lines.
However, if you are trying to authenticate the radius server to the ldap server with certificates, then check that the CA that has signed the radius' certificate is known by the ldap server.
#tls_mode = yes
Argh... I think you have to uncomment this line.
HTH, Thibault
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Rafał Kamiński wrote:
-In freeradius log (freeradius -XXX -A) i see my password from ldap server, how i can crypt that password ?
You don't. Debugging mode is SUPPOSED to tell you what the passwords are, otherwise debugging mode is useless. if you don't want the passwords, don't run in debugging mode. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Rafał Kamiński -
Thibault Le Meur