Check certificate revocation when using LDAP/TLS

Benjamin Bouilhac bouilhac.benjamin at
Wed Mar 8 14:43:01 UTC 2023

Thanks for the fast feedback Alan ! I'll look more into that
De : Freeradius-Users < at> de la part de Alan DeKok <aland at>
Envoyé : mercredi 8 mars 2023 14:38
À : FreeRadius users mailing list <freeradius-users at>
Objet : Re: Check certificate revocation when using LDAP/TLS

On Mar 8, 2023, at 8:30 AM, Benjamin Bouilhac <bouilhac.benjamin at> wrote:
> My FreeRADIUS is talking to an LDAP directory (OpenLDAP) over TLS and I need to check the revocation status of the LDAP server's certificate using a CRL.

  That is really a property of the libldap library and its APIs.  That library handles all of the TLS magic for the LDAP protocol.

  The FreeRADIUS "tls" configuration just maps the configuration items to libldap API parameters.

> I tried adding check_crl in the tls section (of the LDAP module) but to no avail (see debug output below : check_crl is ignored when parsing the configuration) :

  Yes.  If it's not documented as working, it doesn't work.

  A little google-fu shows this:

  So it is possible to do, it just requires more code in rlm_ldap.  Patches are always welcome...

> I know checking the revocation status of EAP client's certificate is well supported (in mods-available/eap) but I was wondering whether checking the revocation status of "backend" servers' certificates was as well and if so what I did wrong.

  You did nothing wrong.  It's not just implemented.

  For EAP and RADIUS/TLS, FreeRADIUS implements EAP, RADIUS. and the interaction with TLS.  For LDAP, we just hand everything off to OpenLDAP, and it does the work.

  So if we implement some TLS checks for EAP, they pretty much work for free in RADIUS/TLS.  And we can't leverage that work for libldap, because the APIs are completely different.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list