> > [ldap_CustA] setting TLS Key File to /etc/raddb/certs/server.key > > [ldap_CustA] setting TLS Key File to /etc/raddb/certs/random > > This is a logging bug in FreeRADIUS; the code seems to have been copy > & > pasted. It *is* setting the randfile option, but it's logging the > wrong > thing (key file). It can be ignored.
Okay thank you. > > > [ldap_CustA] bind as user@domain.local/PASSWORD to 193.47.81.75:636 > > TLS: could not add the certificate PEM Token #0:server.crt - 0 - > > error > > -8192:Unknown code ___f 0. > > TLS: error: could not initialize moznss security context - error > > -8192:Unknown code ___f 0 > > Well that's a new one on me. > > Which version of FreeRADIUS are you using, on which OS? Which LDAP > libraries are you linking against? I did not compile it, I used yum (CentOS) to install it. is there any way for me to see this? > > I'm guessing you're on a RedHat based system, judging from the fact > the > LDAP libraries seem to be using Mozilla NSS rather than OpenSSL under > the hood? yes it's CentOS. > > Where did "server.crt" come from? I presume it's a copy of the LDAP > server cert, signed by the CA in "ca.pem"? Do you need it? You can > probably just give the CA cert, for a connection to an LDAP server. They were all generated by bootstrap as part of the default installation. I'll try with only giving he cacertfile cacertdir when doing that it I get the following (sanitized): [ldap_CustA] setting TLS mode to 1 [ldap_CustA] setting TLS CACert File to /etc/raddb/certs/ca.pem [ldap_CustA] setting TLS CACert Directory to /etc/raddb/certs/ [ldap_CustA] setting TLS Require Cert to never [ldap_CustA] bind as MyUser@domain.local/MyPassword to 193.47.81.75:636 TLS: certificate [CN=server.domain.local] is not valid - CA cert is not valid TLS: certificate [CN=server.domain.local] is not valid - error -8102:Unknown code ___f 90. TLS: certificate [CN=server.domain.local] is not valid - error -8172:Unknown code ___f 20. TLS: error: connect - force handshake failure: errno 0 - moznss error -8157 TLS: can't connect: TLS error -8157:Unknown code ___f 35. [ldap_CustA] MyUser@domain.local bind to 1.1.1.1:636 failed: Can't contact LDAP server [ldap_CustA] (re)connection attempt failed If I'm reading that correctly the certificates in the AD is not setup right? -- Thanks, Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
