ldap tls in freeradius

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Sun Nov 6 13:50:41 CET 2011


> I do not expect to use EAP, so the certs are only to connect to the ldap servers. I'm new to openssl, but I did manage to find the syntax for reading the PEM crt file with -noout -text, and it give me the certificate data.


> The directory that I pointed to were the one that bootstrap automatically created. Do I need to create new certificates for the ldap lookup (if so is there a guide some where)?

err, yes. those certs made by bootstrap are SSL certs for the EAP part of
the server - for clients to talk to your RADIUS server.

for you to use LDAP with TLS, you will need to get a copy of the CA file
for the CA that signs your LDAP server.... you can then also get a copy
of the LDAP cert if you wish to set it - though I think that can be automatically
provisioned in the TLS setup should you not wish to be paranoid

> What is required (eg. key = values etc) in order to do a secure LDAP lookup in a remote AD. I would also like (for testing) to ensure that the ldap lookup does not try to validate the ldap server certificate I assume that "require_cert" does this for me?

as above...get a copy of the CA file that signs the LDAP/AD server and get
a copy of the LDAP server cert.  the stuff you've configured is for EAP server


More information about the Freeradius-Users mailing list