I think there must have been some sort of LDAP library on the system where you built FreeRadius.
I don't know about TLS. As I said, I was using SSL. I get a different error, telling me that it doesn't like the self-signed certificate.
As to installing the CA certificate, that depends on the TLS/SSL library you are using and how it was built.
Owen
--On Thursday, June 19, 2003 9:18 AM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote:
Hiya,
useWhen you built rlm_ldap, you needed some sort of LDAP library for it. Usually, this is OpenLDAP. If you used something else, I'm not sure what to tell you. In my case, I built FreeRadius and the rlm_ldap module at the same time. I don't know what you did. I didn't install a certificate on the RADIUS server. I used an existing LDAP server run by IT which has a self-signed certificate on it. I don't know how they installed the certificate, and that would depend on the LDAP server inLDAPanyway. As to validation, I haven't been able to get them to validate because FreeRadius is rejecting the self-signed certificate from theserver.
I've compiled FreeRadius and rlm_ldap, without installing any LDAP package (like OpenLDAP), I've only untar FreeRadius, then ./configure, and make. But I suppose that it has LDAP support, because I've been able to authenticate users using LDAP.
On RADIUS server I haven't install any certificate, I don't know how. I've configured my RADIUS server in order to use LDAP as authentication database and I det to yes "start_tls" and "tls_mode".
somethingI got the impression from your original email that you had the LDAP server already working with LDAPs. If that's not the case, you first need to get a working LDAPs server (LDAP over SSL). This is notI can help you with.
Yes, I've got an LDAPs (LDAP over SSL) server working. But I'm not able to contact it from RADIUS. If I try to contact to LDAPs server from Outlook (for example) I need to install my CA certificate, to validate authentication of LDAPs. Dous RADIUS need some similar?
Once that is done, getting RADIUS to be another client of that LDAPs server should simply be a matter of changing the port number in the radiusd.conf from what was working with the LDAP server.
I've do it, but i get an error "could not start TLS protocol". See my log.
Maybe I'm forgetting something. I've saw some TLS parameters in EAP section of radiusd.conf, but I haven't used it... Is it ok?
>>>> >>>> rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101, >>>> length=60 >>>> User-Name = "test" >>>> User-Password = "1234567890" >>>> NAS-IP-Address = 255.255.255.255 >>>> NAS-Port = 1 >>>> rad_lowerpair: User-Name now 'test' >>>> rad_lowerpair: User-Password now '1234567890' >>>> modcall: entering group authorize >>>> rlm_ldap: - authorize >>>> rlm_ldap: performing user authorization for test >>>> radius_xlat: '(uid=test)' >>>> radius_xlat: 'o=Prova' >>>> ldap_get_conn: Got Id: 0 >>>> rlm_ldap: attempting LDAP reconnection >>>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636, > authentication >>> 0 >>>> rlm_ldap: setting TLS mode to 1 >>>> rlm_ldap: starting TLS >>>> rlm_ldap: ldap_start_tls_s() >>>> rlm_ldap: could not start TLS Protocol error >>>> rlm_ldap: (re)connection attempt failed >>>> rlm_ldap: search failed >>>> ldap_release_conn: Release Id: 0 >>>> modcall[authorize]: module "ldap" returns fail >>>> modcall: group authorize returns fail >>>> There was no response configured: rejecting request 0 >>>> Server rejecting request 0. >>>> Finished request 0 >>>> Going to the next request >>>> --- Walking the entire request list --- >>>> Waking up in 1 seconds... >>>> --- Walking the entire request list --- >>>> Waking up in 1 seconds... >>>> --- Walking the entire request list --- >>>> Sending Access-Reject of id 101 to 127.0.0.1:32792 >>>> Waking up in 4 seconds... >>>> --- Walking the entire request list --- >>>> Cleaning up request 0 ID 101 with timestamp 3ef0694c >>>> Nothing to do. Sleeping until we see a request.
______________________________________ Paco Orozco ([EMAIL PROTECTED]) Divisi� de Telecomunicacions UPCNet Edifici V�rtex - Pl. Eusebi G�ell, 6 Tel�fon centraleta: 93.40.11600
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
