Thx It's works.
But I have another question:
-In freeradius log (freeradius -XXX -A) i see my password from ldap
server, how i can crypt that password ?
BR Kamyk
On Dec 4, 2006, at 1:57 PM, Thibault Le Meur wrote:
-----Message d'origine-----
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Rafa³ Kamiñski
Envoyé : lundi 4 décembre 2006 13:28
À : freeradius-users@lists.freeradius.org
Objet : FreeRadius + Ldap + TLS/SSL
When i saw that error, i check ldap logs. My ldap is configure with
SSL not a TLS. Now i have a problem with configure freeradius
to work
with SSL ldap not TLS ldap :(
I have in radiusd.conf:
server = "ldap"
port = 636
#port = 389
...
filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
This last line is ok: it will ask not to try Start-TLS connection.
# tls_cacertfile = /path/to/cacert.pem
tls_cacertfile = /etc/freeradius/cert/ca.crt
# tls_cacertdir = /path/to/ca/dir/
tls_cacertdir = /etc/freeradius/cert/
tls_cacertdir = /etc/freeradius/cert/
Why do you have both tls_cacertfile and tls_cacertdir ?
# tls_certfile = /path/to/radius.crt
tls_certfile = /etc/freeradius/cert/radius.crt
# tls_keyfile = /path/to/radius.key
tls_keyfile = /etc/freeradius/cert/radius.key
tls_certfile and tls_keyfile are used to make the radius server
authenticate
itself to the ldap server.
This is not mandatory, if you're not willing to authenticate the
radius
server to the ldap server, then you can ommit these two lines.
However, if you are trying to authenticate the radius server to the
ldap
server with certificates, then check that the CA that has signed
the radius'
certificate is known by the ldap server.
#tls_mode = yes
Argh... I think you have to uncomment this line.
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
