On Fri, 20 Jun 2003, Francisco Orozco/Upcnet wrote: > Hiya, > > I'm bit confused. I'd like to use, as I mentioned, RADIUS + LDAP over > encripted comunications (TLS). > > I order to user RADIUS + LDAP I've compiled FreeRadius, but I haven't > installed any OpenLDAP SDK. Then I've configured radiusd.conf as mentioned > in past messages. > > I try it and It works great. I can authenticate users via LDAP. > > When I try to use TLS I've configured radiusd.conf parameters: > "stat_tls=yes" "tls_mode=yes" "port=636"
StartTLS is an extended operation for starting TLS while connecting to the normal ldap port (389). I would suggest start_tls=yes,tls_mode=no and port=389 I think that the tls_mode directive should go away completely and start_tls only be allowed if we don't use the ldaps port. But I am not sure that the above is correct. > > It's not working, see log. "Protocol Error", It means that I need to > compile something. > > I don't want to authenticate LDAP server from RADIUS, so I doesn't need to > install OpenSSL and CA certificates. I only want to encrypt RADIUS - LDAP > comunication, without ensuring identity of any. > > Please... can you put some light on my work???? > > > >> >>>> > > >> >>>> rad_recv: Access-Request packet from host 127.0.0.1:32792, > id=101, > > >> >>>> length=60 > > >> >>>> User-Name = "test" > > >> >>>> User-Password = "1234567890" > > >> >>>> NAS-IP-Address = 255.255.255.255 > > >> >>>> NAS-Port = 1 > > >> >>>> rad_lowerpair: User-Name now 'test' > > >> >>>> rad_lowerpair: User-Password now '1234567890' > > >> >>>> modcall: entering group authorize > > >> >>>> rlm_ldap: - authorize > > >> >>>> rlm_ldap: performing user authorization for test > > >> >>>> radius_xlat: '(uid=test)' > > >> >>>> radius_xlat: 'o=Prova' > > >> >>>> ldap_get_conn: Got Id: 0 > > >> >>>> rlm_ldap: attempting LDAP reconnection > > >> >>>> rlm_ldap: (re)connect to ldap.server.mycompany.es:636, > > >> > authentication > > >> >>> 0 > > >> >>>> rlm_ldap: setting TLS mode to 1 > > >> >>>> rlm_ldap: starting TLS > > >> >>>> rlm_ldap: ldap_start_tls_s() > > >> >>>> rlm_ldap: could not start TLS Protocol error > > >> >>>> rlm_ldap: (re)connection attempt failed > > >> >>>> rlm_ldap: search failed > > >> >>>> ldap_release_conn: Release Id: 0 > > >> >>>> modcall[authorize]: module "ldap" returns fail > > >> >>>> modcall: group authorize returns fail > > >> >>>> There was no response configured: rejecting request 0 > > >> >>>> Server rejecting request 0. > > >> >>>> Finished request 0 > > >> >>>> Going to the next request > > >> >>>> --- Walking the entire request list --- > > >> >>>> Waking up in 1 seconds... > > >> >>>> --- Walking the entire request list --- > > >> >>>> Waking up in 1 seconds... > > >> >>>> --- Walking the entire request list --- > > >> >>>> Sending Access-Reject of id 101 to 127.0.0.1:32792 > > >> >>>> Waking up in 4 seconds... > > >> >>>> --- Walking the entire request list --- > > >> >>>> Cleaning up request 0 ID 101 with timestamp 3ef0694c > > >> >>>> Nothing to do. Sleeping until we see a request. > > ______________________________________ > Paco Orozco ([EMAIL PROTECTED]) > Divisi? de Telecomunicacions > UPCNet > Edifici V?rtex - Pl. Eusebi G?ell, 6 > Tel?fon centraleta: 93.40.11600 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
