> -----Message d'origine----- > De : > [EMAIL PROTECTED] > radius.org > [mailto:[EMAIL PROTECTED] > sts.freeradius.org] De la part de Rafa³ Kamiñski > Envoyé : lundi 4 décembre 2006 13:28 > À : freeradius-users@lists.freeradius.org > Objet : FreeRadius + Ldap + TLS/SSL > > > When i saw that error, i check ldap logs. My ldap is configure with > SSL not a TLS. Now i have a problem with configure freeradius > to work > with SSL ldap not TLS ldap :( > > I have in radiusd.conf: > > server = "ldap" > port = 636 > #port = 389 > ... > filter = "(uid=%u)" > base_filter = "(objectclass=radiusprofile)" > start_tls = no
This last line is ok: it will ask not to try Start-TLS connection. > # tls_cacertfile = /path/to/cacert.pem > tls_cacertfile = /etc/freeradius/cert/ca.crt > # tls_cacertdir = /path/to/ca/dir/ > > tls_cacertdir = /etc/freeradius/cert/ > tls_cacertdir = /etc/freeradius/cert/ Why do you have both tls_cacertfile and tls_cacertdir ? > # tls_certfile = /path/to/radius.crt > tls_certfile = /etc/freeradius/cert/radius.crt > # tls_keyfile = /path/to/radius.key > tls_keyfile = /etc/freeradius/cert/radius.key tls_certfile and tls_keyfile are used to make the radius server authenticate itself to the ldap server. This is not mandatory, if you're not willing to authenticate the radius server to the ldap server, then you can ommit these two lines. However, if you are trying to authenticate the radius server to the ldap server with certificates, then check that the CA that has signed the radius' certificate is known by the ldap server. > #tls_mode = yes Argh... I think you have to uncomment this line. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
