authenticating to ldaps/tls

Thibault Le Meur Thibault.LeMeur at
Thu Feb 12 12:13:54 CET 2009

Peter Param a écrit :
> it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636)   ...but it also supports the latter even tho an acl is set to not allow port 389
> use start_tls=no fails also,
Maybe but keep it to no

>  it seems to have a problem with the cert and/or cert directory:
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to, authentication 0
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: could not set LDAP_OPT_X_TLS option Success
?? this is confusing... could that mean that your ldap library wasn't 
compiled with ssl support... I'm not sure
(but this is a rather old post)

> rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
> rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/


cacertfile    = /etc/openssl/certs/SVMHS_CA_SSL_Server.cer

The doc states that tls_cacertfile is a a PEM-encoded file: I think your 
CAcert is a DER encoded one (extension.cer usually is).


cacertdir     = /etc/openssl/certs/


The doc states that  tls_cacertdir is in "hash format" (see openssl verify)

Also check that the directory and files are accessible/readable by the 
user running the radius server.

My 2 cents,...

More information about the Freeradius-Users mailing list