deactivate ldap.attrmap [SEC=UNCLASSIFIED]

Ranner, Frank MR Frank.Ranner at
Fri Feb 1 02:04:41 CET 2008


-----Original Message-----
From: at lists.freeradius.or
[ at lists.freer] On Behalf Of Sebastian Heil
Sent: Wednesday, 30 January 2008 20:08
To: FreeRadius users mailing list
Subject: Re: deactivate ldap.attrmap

Hello again,

> Sebastian Heil wrote:
> > Is there a way to deactivate the ldap.attrmap file?
>   Edit the source code & re-compile.

Maybe i will try it... never done before... :-) thanks anyway.

i have got another problem. since the authentication via ldap works now
quite ok, i would like to try ldaps together with edirectory.

what do i have to configure?

i already imported the root certificate and configured the tls-section
of the ldap-section like this:

tls {
start_tls = yes
cacertfile = /etc/raddb/certs/tc_class2.pem
require_cert   = "demand"

but i doesn't work like this...

i added the following lines to the ldap-section:

port = 636
tls_mode = yes
tls_require_cert = demand

and i doesn't work either...

part of the debug:

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ************:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/tc_class2.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0

Any ideas?


I have seen the later comments in the thread, but I think the problem is
that you need to choose whether to use tls or ssl. If you use tls, you
should connect to port 389 and issue start-tls. If you use ssl you
connect to 636 and don't do start-tls. Doing both, ie connect to 636 and
issue start-tls is probably a bad thing.

Another this you could try is to ark up an openldap server on a linux
box. You can run the server with debugging switched on and see the
entire certificate negotiation from the servers point of view.

Frankl Ranner
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list