Ability to disable SSL certificate checking for LDAPS (636)?
Chris Wopat
me at falz.net
Fri Apr 26 12:31:45 UTC 2024
We were able to get this working, Somehow one of the vendor specific
dictionaries we have, that was copied over from old server, had some
weird stuff in it:
VENDOR Infinera 21296
BEGIN-VENDOR Infinera
ATTRIBUTE User-Name 1 string
ATTRIBUTE User-Password 2 string encrypt=1
ATTRIBUTE Reply-Message 18 string
Why were those 3 attributes in the vendor definition? I have no idea,
but they were. This version has a default 'dictionary.infinera' in
/usr/share, the old one didn't. I commented them out from that vendor
definition.
I commented out those attributes from here (they're global, right?)
and it all worked, including LDAPS. What I believe was happening with
my original issue was
1) the username wasn't actually passed to the LDAP query
2) AD did some 'referral' thing searching for those 'DomainDNSZones' server
3) That failed the SSL cert check since they're not in the name
since step 1 is now fixed, it doesn't do the step 2 "extra referral"
check on weird domain names.
Sorry for the noise.
--Chris
More information about the Freeradius-Users
mailing list