ldap tls in freeradius

Frank Skovboel fs at secu.dk
Sun Nov 6 12:46:23 CET 2011

> > [ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key
> > [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random
> This is a logging bug in FreeRADIUS; the code seems to have been copy
> &
> pasted. It *is* setting the randfile option,  but it's logging the
> wrong
> thing (key file). It can be ignored.

Okay thank you.

> > [ldap_CustA] bind as user at domain.local/PASSWORD to
> > TLS: could not add the certificate PEM Token #0:server.crt - 0 -
> > error
> > -8192:Unknown code ___f 0.
> > TLS: error: could not initialize moznss security context - error
> > -8192:Unknown code ___f 0
> Well that's a new one on me.
> Which version of FreeRADIUS are you using, on which OS?	Which LDAP
> libraries are you linking against?

I did not compile it, I used yum (CentOS) to install it. is there any way for me to see this?

> I'm guessing you're on a RedHat based system, judging from the fact
> the
> LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under
> the hood?

yes it's CentOS.

> Where did "server.crt" come from? I presume it's a copy of the LDAP
> server cert, signed by the CA in "ca.pem"? Do you need it? You can
> probably just give the CA cert, for a connection to an LDAP server.

They were all generated by bootstrap as part of the default installation.

I'll try with only giving he cacertfile cacertdir

when doing that it I get the following (sanitized):
  [ldap_CustA] setting TLS mode to 1
  [ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem
  [ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/
  [ldap_CustA] setting TLS Require Cert to never
  [ldap_CustA] bind as MyUser at domain.local/MyPassword to
TLS: certificate [CN=server.domain.local] is not valid - CA cert is not valid
TLS: certificate [CN=server.domain.local] is not valid - error -8102:Unknown code ___f 90.
TLS: certificate [CN=server.domain.local] is not valid - error -8172:Unknown code ___f 20.
TLS: error: connect - force handshake failure: errno 0 - moznss error -8157
TLS: can't connect: TLS error -8157:Unknown code ___f 35.
  [ldap_CustA] MyUser at domain.local bind to failed: Can't contact LDAP server
  [ldap_CustA] (re)connection attempt failed

If I'm reading that correctly the certificates in the AD is not setup right?


More information about the Freeradius-Users mailing list