I think there must have been some sort of LDAP library on the system
where you built FreeRadius.

I don't know about TLS.  As I said, I was using SSL.  I get a different
error, telling me that it doesn't like the self-signed certificate.

As to installing the CA certificate, that depends on the TLS/SSL library
you are using and how it was built.

Owen


--On Thursday, June 19, 2003 9:18 AM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote:


Hiya,

When you built rlm_ldap, you needed some sort of LDAP library for
it.  Usually, this is OpenLDAP.  If you used something else, I'm not
sure what to tell you.  In my case, I built FreeRadius and the rlm_ldap
module at the same time.  I don't know what you did.  I didn't install
a certificate on the RADIUS server.  I used an existing LDAP server run
by IT which has a self-signed certificate on it.  I don't know how they
installed the certificate, and that would depend on the LDAP server in
use
anyway.  As to validation, I haven't been able to get them to validate
because FreeRadius is rejecting the self-signed certificate from the
LDAP
server.

I've compiled FreeRadius and rlm_ldap, without installing any LDAP package (like OpenLDAP), I've only untar FreeRadius, then ./configure, and make. But I suppose that it has LDAP support, because I've been able to authenticate users using LDAP.

On RADIUS server I haven't install any certificate, I don't know how.
I've  configured my RADIUS server in order to use LDAP as authentication
database and I det to yes "start_tls" and "tls_mode".

I got the impression from your original email that you had the LDAP
server already working with LDAPs.  If that's not the case, you first
need to get a working LDAPs server (LDAP over SSL).  This is not
something
I can help you with.

Yes, I've got an LDAPs (LDAP over SSL) server working. But I'm not able to contact it from RADIUS. If I try to contact to LDAPs server from Outlook (for example) I need to install my CA certificate, to validate authentication of LDAPs. Dous RADIUS need some similar?

Once that is done, getting RADIUS to be another client of that LDAPs
server should simply be a matter of changing the port number in the
radiusd.conf from what was working with the LDAP server.

I've do it, but i get an error "could not start TLS protocol". See my log.


Maybe I'm forgetting something. I've saw some TLS parameters in EAP
section of radiusd.conf, but I haven't used it... Is it ok?

>>>>
>>>> rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101,
>>>> length=60
>>>>         User-Name = "test"
>>>>         User-Password = "1234567890"
>>>>         NAS-IP-Address = 255.255.255.255
>>>>         NAS-Port = 1
>>>> rad_lowerpair:  User-Name now 'test'
>>>> rad_lowerpair:  User-Password now '1234567890'
>>>> modcall: entering group authorize
>>>> rlm_ldap: - authorize
>>>> rlm_ldap: performing user authorization for test
>>>> radius_xlat:  '(uid=test)'
>>>> radius_xlat:  'o=Prova'
>>>> ldap_get_conn: Got Id: 0
>>>> rlm_ldap: attempting LDAP reconnection
>>>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636,
> authentication
>>> 0
>>>> rlm_ldap: setting TLS mode to 1
>>>> rlm_ldap: starting TLS
>>>> rlm_ldap: ldap_start_tls_s()
>>>> rlm_ldap: could not start TLS Protocol error
>>>> rlm_ldap: (re)connection attempt failed
>>>> rlm_ldap: search failed
>>>> ldap_release_conn: Release Id: 0
>>>>   modcall[authorize]: module "ldap" returns fail
>>>> modcall: group authorize returns fail
>>>> There was no response configured: rejecting request 0
>>>> Server rejecting request 0.
>>>> Finished request 0
>>>> Going to the next request
>>>> --- Walking the entire request list ---
>>>> Waking up in 1 seconds...
>>>> --- Walking the entire request list ---
>>>> Waking up in 1 seconds...
>>>> --- Walking the entire request list ---
>>>> Sending Access-Reject of id 101 to 127.0.0.1:32792
>>>> Waking up in 4 seconds...
>>>> --- Walking the entire request list ---
>>>> Cleaning up request 0 ID 101 with timestamp 3ef0694c
>>>> Nothing to do.  Sleeping until we see a request.

______________________________________ Paco Orozco ([EMAIL PROTECTED]) Divisi� de Telecomunicacions UPCNet Edifici V�rtex - Pl. Eusebi G�ell, 6 Tel�fon centraleta: 93.40.11600


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to