Hiya, > When you built rlm_ldap, you needed some sort of LDAP library for > it. Usually, this is OpenLDAP. If you used something else, I'm not > sure what to tell you. In my case, I built FreeRadius and the rlm_ldap > module at the same time. I don't know what you did. I didn't install > a certificate on the RADIUS server. I used an existing LDAP server run > by IT which has a self-signed certificate on it. I don't know how they > installed the certificate, and that would depend on the LDAP server in use > anyway. As to validation, I haven't been able to get them to validate > because FreeRadius is rejecting the self-signed certificate from the LDAP > server.
I've compiled FreeRadius and rlm_ldap, without installing any LDAP package (like OpenLDAP), I've only untar FreeRadius, then ./configure, and make. But I suppose that it has LDAP support, because I've been able to authenticate users using LDAP. On RADIUS server I haven't install any certificate, I don't know how. I've configured my RADIUS server in order to use LDAP as authentication database and I det to yes "start_tls" and "tls_mode". > I got the impression from your original email that you had the LDAP > server already working with LDAPs. If that's not the case, you first > need to get a working LDAPs server (LDAP over SSL). This is not something > I can help you with. Yes, I've got an LDAPs (LDAP over SSL) server working. But I'm not able to contact it from RADIUS. If I try to contact to LDAPs server from Outlook (for example) I need to install my CA certificate, to validate authentication of LDAPs. Dous RADIUS need some similar? > Once that is done, getting RADIUS to be another client of that LDAPs > server should simply be a matter of changing the port number in the > radiusd.conf from what was working with the LDAP server. I've do it, but i get an error "could not start TLS protocol". See my log. Maybe I'm forgetting something. I've saw some TLS parameters in EAP section of radiusd.conf, but I haven't used it... Is it ok? > >>>> > >>>> rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101, > >>>> length=60 > >>>> User-Name = "test" > >>>> User-Password = "1234567890" > >>>> NAS-IP-Address = 255.255.255.255 > >>>> NAS-Port = 1 > >>>> rad_lowerpair: User-Name now 'test' > >>>> rad_lowerpair: User-Password now '1234567890' > >>>> modcall: entering group authorize > >>>> rlm_ldap: - authorize > >>>> rlm_ldap: performing user authorization for test > >>>> radius_xlat: '(uid=test)' > >>>> radius_xlat: 'o=Prova' > >>>> ldap_get_conn: Got Id: 0 > >>>> rlm_ldap: attempting LDAP reconnection > >>>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636, > > authentication > >>> 0 > >>>> rlm_ldap: setting TLS mode to 1 > >>>> rlm_ldap: starting TLS > >>>> rlm_ldap: ldap_start_tls_s() > >>>> rlm_ldap: could not start TLS Protocol error > >>>> rlm_ldap: (re)connection attempt failed > >>>> rlm_ldap: search failed > >>>> ldap_release_conn: Release Id: 0 > >>>> modcall[authorize]: module "ldap" returns fail > >>>> modcall: group authorize returns fail > >>>> There was no response configured: rejecting request 0 > >>>> Server rejecting request 0. > >>>> Finished request 0 > >>>> Going to the next request > >>>> --- Walking the entire request list --- > >>>> Waking up in 1 seconds... > >>>> --- Walking the entire request list --- > >>>> Waking up in 1 seconds... > >>>> --- Walking the entire request list --- > >>>> Sending Access-Reject of id 101 to 127.0.0.1:32792 > >>>> Waking up in 4 seconds... > >>>> --- Walking the entire request list --- > >>>> Cleaning up request 0 ID 101 with timestamp 3ef0694c > >>>> Nothing to do. Sleeping until we see a request. ______________________________________ Paco Orozco ([EMAIL PROTECTED]) Divisi� de Telecomunicacions UPCNet Edifici V�rtex - Pl. Eusebi G�ell, 6 Tel�fon centraleta: 93.40.11600 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
