authenticating to ldaps/tls

Peter Param pparam at stvincents.com.au
Thu Feb 12 11:27:20 CET 2009 

it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636)   ...but it also supports the latter even tho an acl is set to not allow port 389

use start_tls=no fails also, it seems to have a problem with the cert and/or cert directory:

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/

cheers

Peter




>>> Thibault.LeMeur at supelec.fr 12/02/2009 9:04 pm >>>
Peter Param a écrit :
> Hi all,
>
> I'm trying to authenticate to a LDAPS backend but failing.  Any suggestions?
>   
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port 
636) or an LDAP server answering on LDAP connections that are then 
secured by Start-TLS  (LDAP on port 389 + Start-TLS)  ?

These are 2 different options.


> ldap people_search {
>                 server = "ldap1.stvincents.com.au"
>                 port = 636
>   

==> This implies an ldaps server

>                 identity = "cn=admin,o=org,c=au"
>                 password = ***
>                 filter = "(cn=%u)"
>                 basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au"
>                 tls {
>                         tls_mode = yes
>                         # to the LDAP database by using the StartTLS extended
>                         # operation.
>                         #
>                         # The StartTLS operation is supposed to be
>                         # used with normal ldap connections instead of
>                         # using ldaps (port 689) connections
>                         start_tls = yes
>   
==> this is not compliant with and ldaps server
use start_tls=no

By the way, Alan and other Gurus, I think there is a small typo in the 
comment:

# using ldaps (port 689) connections

Should be

# using ldaps (port 636) connections


HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents &
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.

**********************************************************************

More information about the Freeradius-Users mailing list