FreeRadius + Ldap + TLS/SSL
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Mon Dec 4 13:57:25 CET 2006
> -----Message d'origine-----
> De :
> freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.free
> radius.org
> [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr at li
> sts.freeradius.org] De la part de Rafa³ Kamiñski
> Envoyé : lundi 4 décembre 2006 13:28
> À : freeradius-users at lists.freeradius.org
> Objet : FreeRadius + Ldap + TLS/SSL
>
>
> When i saw that error, i check ldap logs. My ldap is configure with
> SSL not a TLS. Now i have a problem with configure freeradius
> to work
> with SSL ldap not TLS ldap :(
>
> I have in radiusd.conf:
>
> server = "ldap"
> port = 636
> #port = 389
> ...
> filter = "(uid=%u)"
> base_filter = "(objectclass=radiusprofile)"
> start_tls = no
This last line is ok: it will ask not to try Start-TLS connection.
> # tls_cacertfile = /path/to/cacert.pem
> tls_cacertfile = /etc/freeradius/cert/ca.crt
> # tls_cacertdir = /path/to/ca/dir/
>
> tls_cacertdir = /etc/freeradius/cert/
> tls_cacertdir = /etc/freeradius/cert/
Why do you have both tls_cacertfile and tls_cacertdir ?
> # tls_certfile = /path/to/radius.crt
> tls_certfile = /etc/freeradius/cert/radius.crt
> # tls_keyfile = /path/to/radius.key
> tls_keyfile = /etc/freeradius/cert/radius.key
tls_certfile and tls_keyfile are used to make the radius server authenticate
itself to the ldap server.
This is not mandatory, if you're not willing to authenticate the radius
server to the ldap server, then you can ommit these two lines.
However, if you are trying to authenticate the radius server to the ldap
server with certificates, then check that the CA that has signed the radius'
certificate is known by the ldap server.
> #tls_mode = yes
Argh... I think you have to uncomment this line.
HTH,
Thibault
More information about the Freeradius-Users
mailing list