authenticating to ldaps/tls

Thibault Le Meur Thibault.LeMeur at supelec.fr
Thu Feb 12 12:13:54 CET 2009


Peter Param a écrit :
> it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636)   ...but it also supports the latter even tho an acl is set to not allow port 389
>
> use start_tls=no fails also,
Maybe but keep it to no



>  it seems to have a problem with the cert and/or cert directory:
>
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: could not set LDAP_OPT_X_TLS option Success
>   
?? this is confusing... could that mean that your ldap library wasn't 
compiled with ssl support... I'm not sure
see 
http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg09575.html 
(but this is a rather old post)

> rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
> rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
>   

------------------

cacertfile    = /etc/openssl/certs/SVMHS_CA_SSL_Server.cer

-----------------
The doc states that tls_cacertfile is a a PEM-encoded file: I think your 
CAcert is a DER encoded one (extension.cer usually is).

-----------

cacertdir     = /etc/openssl/certs/

-----------

The doc states that  tls_cacertdir is in "hash format" (see openssl verify)

Also check that the directory and files are accessible/readable by the 
user running the radius server.

My 2 cents,...



More information about the Freeradius-Users mailing list