ldap tls in freeradius

Frank Skovboel fs at secu.dk
Sun Nov 6 12:37:30 CET 2011

----- Original Message -----
> From: "Alan Buxey" <A.L.M.Buxey at lboro.ac.uk>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Sent: Sunday, November 6, 2011 10:59:43 AM
> Subject: Re: ldap tls in freeradius
> Hi,
> >       tls {
> >          start_tls = no
> > 
> >            cacertfile      = /etc/raddb/certs/ca.pem
> >            cacertdir       = /etc/raddb/certs/
> >            certfile        = /etc/raddb/certs/server.crt
> >            keyfile         = /etc/raddb/certs/server.key
> >            randfile        = /etc/raddb/certs/random
> >            require_cert   = "never"
> are these certs for the LDAP connectin - or are these your main certs
> for the client connections - as the directory looks to be the same.
> ensure you have seperate config for your RADIUS<->LDAP connection...
> is the CRT file PEM readable?  - ie use openssl tool to check your
> cert

The snippet above is from the ldap setup.

I do not expect to use EAP, so the certs are only to connect to the ldap servers. I'm new to openssl, but I did manage to find the syntax for reading the PEM crt file with -noout -text, and it give me the certificate data.

The directory that I pointed to were the one that bootstrap automatically created. Do I need to create new certificates for the ldap lookup (if so is there a guide some where)?

What is required (eg. key = values etc) in order to do a secure LDAP lookup in a remote AD. I would also like (for testing) to ensure that the ldap lookup does not try to validate the ldap server certificate I assume that "require_cert" does this for me?


More information about the Freeradius-Users mailing list