Paulo Cabrita <[EMAIL PROTECTED]> wrote: > I made a little more debug on this matter and I discovered that the > error is that FR doesn't like the CA: > ... > TLS certificate verification: Error, self signed certificate > TLS trace: SSL3 alert write:fatal:unknown CA
That's an SSL error. FreeRADIUS has little control over it. FreeRADIUS is calling the LDAP client library, and asking it to use a particular CA for one ldap instance. FreeRADIUS does that again for the other ldap instance. My guess is that the LDAP client library, or OpenSSL, over-writes the first CA with the second one. You should be able to verify this by listing the master & slave ldap names in the "instantiate" section. That forces the server to initialize the modules in a particular order. Then, test the server. You should see that the *first* module listed in "instantiate" fails, and the second succeeds. Stop the server, and swap the order in the "instantiate" section. You should again see that the first listed one fails, and the second succeeds. If that happens, it's either a bug in the OpenLDAP client libraries, or in OpenSSL. I'm not sure there's anything you can do to FreeRADIUS to fix it. The only option to make it work is to have both certs signed by the same CA. In that case, it doesn't matter that the first gets over-written by the second, because they're both the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
