Daniele Albrizio <albri...@univ.trieste.it> wrote: > > I suspect the "cacertfile" attribute is not correctly re-instantiated > and only the value of the first request is used to check against when > instantiating a new ldaps connection. > Without a doubt the chaining is not working on your LDAP servers. What is the full output of:
openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text You probably will find if you change those tls 'demands' to 'never' things work, but then it kinda is self defeating :) Cheers -- Alexander Clouter .sigmonster says: You can't break eggs without making an omelet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html