(This didn't appear on the list for some reason) In our usage of freeradius, we've come across some annoying behaviour where we can't ignore server certificates for LDAP TLS. For the purposes of testing and development we'd like to be able to ignore the CA and self signed certificates that live on our LDAP servers. While this is obviously not the recommended approach, it can be beneficial in actually getting a working solution together.
To this end, I patched the rlm_ldap.ldap_connect function so that it more properly used the tls_require_cert option. After using this patch, the configuration will recognise 5 options for tls_require_cert, namely, never | hard | demand | allow | try. I took these names from <ldap.h>. I have not updated the manuals / docs yet as I don't want to waste time if this change is going to be dismissed out of hand. If the patch is acceptable, then I will submit further patches to cover the docs and sample files. This patch should be applied against the 1.0.0-pre3 release. Patched file is src/modules/rlm_ldap/rlm_ldap.c Any issues, let me know. Thanks, Ben
freeradius-ldap-tls-require-cert.patch
Description: Binary data
