That error message can be a little deceptive. When it says it can't connect, it can just mean it can't start TLS due to bad certificates at the freeradius end.
I posted a patch last week against 1.0.0-pre3 which lets you disable the TLS certificate checking. I didn't receive any feedback on it, but I suspect the developers may not be looking at the user list or are otherwise occupied with recent additions to their families. Cheers, Ben On Sat, 24 Jul 2004 02:13:46 +0300 (EEST), Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > > On Fri, 23 Jul 2004 [EMAIL PROTECTED] wrote: > > > Hello, > > > > I successfully gotten ldap and radius to talk using the > > radcheck <user> <passwd> 127.0.0.1 1 testing123 > > which gives me a Access-Accept message. So I assume that > > Im working correctly. > > > > Now I would like to get this encrypted either by using SSL > > or TLS. So I use debian/sarge, thus I apt-get install'ed > > freeradius, ldap-utils, openssl, libssl...etc > > > > What Ive tried,TLS: > > Setting start_tls = yes, restart server, try radcheck, get > > Access-Reject > > > > Message that I get from logs: > > Info: Ready to process requests. > > Error: rlm_ldap: could not start TLS Connect error > > Error: rlm_ldap: (re)connection attempt failed > > > > Ive read most of the messages concerning tls and radius with ldap and > > nothing in them has helped me to get it working. ie, added tls_mode = yes. > > and port = 389. > > > > What Ive tried, SSL: > > Setting start_tls = no, tls_mode=no, port=636 (ldap over ssl), restarted > > server, try radcheck, get Access-Reject > > > > Telnet ldap 636 gets in > > I tried to tunnel through ssl via stunnel with the same error. > > > > Message that I get from logs: > > Error: rlm_ldap: bind to <ldap>:636 failed: Can't contact LDAP server > > Error: rlm_ldap: (re)connection attempt failed > > > > Any help would be greatly appreciated! > > Are you sure you trust the ldap server's certificate? Check your openldap > install ldap.conf file, search for the directive TLS_REQCERT. Man ldap.conf for > a description of the possible values. > Can you connect to your ldap server through the ldapsearch command line tool > with StartTLS or LDAPS? > What does your ldap server log as error? > > > > > David > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
