Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
Alexander Clouter
alex at digriz.org.uk
Tue May 3 21:41:55 CEST 2011
Daniele Albrizio <albrizio at univ.trieste.it> wrote:
>
> I suspect the "cacertfile" attribute is not correctly re-instantiated
> and only the value of the first request is used to check against when
> instantiating a new ldaps connection.
>
Without a doubt the chaining is not working on your LDAP servers. What
is the full output of:
openssl s_client -connect myAD.ds.units.it:636 -showcerts
openssl s_client -connect myopenldap.units.it:636 -showcerts
You can pipe the server cert (cut'n'paste on stdin) through the
following to see the useful parts of the certs:
openssl x509 -noout -text
You probably will find if you change those tls 'demands' to 'never'
things work, but then it kinda is self defeating :)
Cheers
--
Alexander Clouter
.sigmonster says: You can't break eggs without making an omelet.
More information about the Freeradius-Users
mailing list