When you built rlm_ldap, you needed some sort of LDAP library for it. Usually, this is OpenLDAP. If you used something else, I'm not sure what to tell you. In my case, I built FreeRadius and the rlm_ldap module at the same time. I don't know what you did. I didn't install a certificate on the RADIUS server. I used an existing LDAP server run by IT which has a self-signed certificate on it. I don't know how they installed the certificate, and that would depend on the LDAP server in use anyway. As to validation, I haven't been able to get them to validate because FreeRadius is rejecting the self-signed certificate from the LDAP server.
I got the impression from your original email that you had the LDAP server already working with LDAPs. If that's not the case, you first need to get a working LDAPs server (LDAP over SSL). This is not something I can help you with.
Once that is done, getting RADIUS to be another client of that LDAPs server should simply be a matter of changing the port number in the radiusd.conf from what was working with the LDAP server.
Owen
--On Wednesday, June 18, 2003 10:51 -0600 Ron Wahler <[EMAIL PROTECTED]> wrote:
The OpenLDAP build was part of the freeradius build or did you do them separate? Our LDAP is not on the server it is on another box.
How did you get the certificates installed? How did you get them to validate?
-----Original Message----- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 10:28 AM To: [EMAIL PROTECTED] Subject: RE: RADIUS + LDAP + TLS
No... The OpenLDAP libraries used to build Freeradius already handle all of that for you. At least in my case, it just worked, except for that niggling issue of the self-signed certificate. If your LDAP server is already set up to handle SSL connections, that should be all you need.
Owen
--On Wednesday, June 18, 2003 9:58 AM -0600 Ron Wahler <[EMAIL PROTECTED]> wrote:
Orozco/Upcnet"
Yes, but how do you set up the SSL tunnel and get the certificates to validate to the LDAP server? are you using stunnel ?
Ron.
-----Original Message----- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 9:55 AM To: [EMAIL PROTECTED] Subject: RE: RADIUS + LDAP + TLS
Yes... Don't remember exactly where I found it, but, if you have LDAP working, then it's just a matter of adding a port=669 phrase to the configuration file (radiusd.conf) where you specify the ldap server.
Owen
--On Wednesday, June 18, 2003 9:40 AM -0600 Ron Wahler <[EMAIL PROTECTED]> wrote:
database.
Is there a description someplace that would show how to setup an SSL connection from Freeradius to an external LDAPself-signed
Thanks, Ron.
-----Original Message----- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 9:05 AM To: [EMAIL PROTECTED] Subject: Re: RADIUS + LDAP + TLS
I don't know how to get TLS to work, but you should be able to do SSL by specifying that the LDAP port to use is 669 (LDAPs) in your radius.conf. I'm, however, having a similar problem in that I am unable to get it to work because of a complaint about acertificate. If you have any ideas on how to rectify that one, I'd appreciate it. I've posted my question to the list twice and have received zero response.
Owen
--On Wednesday, June 18, 2003 12:32 PM +0200 "Franciscoauthentication<[EMAIL PROTECTED]> wrote:
Hello to all,But
I've been using FreeRadius for a year, but now I'd like to implement RADIUS with LDAP authentication, I've test it and It works great.
Now I'd like to protect radius - ldap server comunication using TLS.I'm not able to do it.how
My LDAP server is Notes Domino and I've been able to configure it correctly. I can connect to it using LDAP SSL/TLS, but I don't knowto implement this in FreeRadius.
I'm using freeradius-0.8.1 and this is my radiusd.conf
Can you help me?
When I try i view this log:
rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101, length=60 User-Name = "test" User-Password = "1234567890" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now 'test' rad_lowerpair: User-Password now '1234567890' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'o=Prova' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.server.mycompany.es:636,0rlm_ldap: setting TLS mode to 1 rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Protocol error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail modcall: group authorize returns fail There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 101 to 127.0.0.1:32792 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 101 with timestamp 3ef0694c Nothing to do. Sleeping until we see a request.
______________________________________ Paco Orozco ([EMAIL PROTECTED]) Divisi� de Telecomunicacions UPCNet Edifici V�rtex - Pl. Eusebi G�ell, 6 Tel�fon centraleta: 93.40.11600
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
