FreeRadius + Ldap + TLS/SSL
Rafał Kamiński
rafal.kaminski at blstream.com
Mon Dec 4 14:32:14 CET 2006
Thx It's works.
But I have another question:
-In freeradius log (freeradius -XXX -A) i see my password from ldap
server, how i can crypt that password ?
BR Kamyk
On Dec 4, 2006, at 1:57 PM, Thibault Le Meur wrote:
>
>
>> -----Message d'origine-----
>> De :
>> freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.free
>> radius.org
>> [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr at li
>> sts.freeradius.org] De la part de Rafa³ Kamiñski
>> Envoyé : lundi 4 décembre 2006 13:28
>> À : freeradius-users at lists.freeradius.org
>> Objet : FreeRadius + Ldap + TLS/SSL
>>
>>
>> When i saw that error, i check ldap logs. My ldap is configure with
>> SSL not a TLS. Now i have a problem with configure freeradius
>> to work
>> with SSL ldap not TLS ldap :(
>>
>> I have in radiusd.conf:
>>
>> server = "ldap"
>> port = 636
>> #port = 389
>> ...
>> filter = "(uid=%u)"
>> base_filter = "(objectclass=radiusprofile)"
>> start_tls = no
>
> This last line is ok: it will ask not to try Start-TLS connection.
>
>> # tls_cacertfile = /path/to/cacert.pem
>> tls_cacertfile = /etc/freeradius/cert/ca.crt
>> # tls_cacertdir = /path/to/ca/dir/
>>
>> tls_cacertdir = /etc/freeradius/cert/
>> tls_cacertdir = /etc/freeradius/cert/
>
> Why do you have both tls_cacertfile and tls_cacertdir ?
>
>
>> # tls_certfile = /path/to/radius.crt
>> tls_certfile = /etc/freeradius/cert/radius.crt
>> # tls_keyfile = /path/to/radius.key
>> tls_keyfile = /etc/freeradius/cert/radius.key
>
> tls_certfile and tls_keyfile are used to make the radius server
> authenticate
> itself to the ldap server.
> This is not mandatory, if you're not willing to authenticate the
> radius
> server to the ldap server, then you can ommit these two lines.
>
> However, if you are trying to authenticate the radius server to the
> ldap
> server with certificates, then check that the CA that has signed
> the radius'
> certificate is known by the ldap server.
>
>> #tls_mode = yes
>
> Argh... I think you have to uncomment this line.
>
> HTH,
> Thibault
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061204/537be17f/attachment.html>
More information about the Freeradius-Users
mailing list