authenticating to ldaps/tls
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Thu Feb 12 12:13:54 CET 2009
Peter Param a écrit :
> it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389
>
> use start_tls=no fails also,
Maybe but keep it to no
> it seems to have a problem with the cert and/or cert directory:
>
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: could not set LDAP_OPT_X_TLS option Success
>
?? this is confusing... could that mean that your ldap library wasn't
compiled with ssl support... I'm not sure
see
http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg09575.html
(but this is a rather old post)
> rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
> rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
>
------------------
cacertfile = /etc/openssl/certs/SVMHS_CA_SSL_Server.cer
-----------------
The doc states that tls_cacertfile is a a PEM-encoded file: I think your
CAcert is a DER encoded one (extension.cer usually is).
-----------
cacertdir = /etc/openssl/certs/
-----------
The doc states that tls_cacertdir is in "hash format" (see openssl verify)
Also check that the directory and files are accessible/readable by the
user running the radius server.
My 2 cents,...
More information about the Freeradius-Users
mailing list