Well, finally I succeeded to do what I want... The reason of the failure
was too stupid: In the radiusd.conf file, I've put the LDAP server address
in ipv4 dotted address form. Of course, freeradius does not try to resolve
it and of course the address obtained from the LDAP server certificate
does not match...
Thanks all who tried to help me.
Konstantin
>-Original Message-
>From: Konstantin KABASSANOV [mailto:[EMAIL PROTECTED]
>Sent: mardi 16 novembre 2004 15:46
>To: '[EMAIL PROTECTED]'
>Subject: Secure TLS connection between Freeradius and Openldap
>
>Hello,
>
>I'm trying to establish a secure TLS connection between a Freeradius and
>an Openldap server.
>
>The "openssl s_client -connect" command successfully establishes a
>connection to the openldap server on the mentioned port with the
following
>certificates, but when trying to bind from freeradius I have the
following
>error message:
>
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to 10.0.3.2:636, authentication 0
>rlm_ldap: setting TLS mode to 1
>rlm_ldap: setting TLS CACert File to /etc/openssl/certs/root.pem
>rlm_ldap: setting TLS CACert File to /etc/openssl/certs/
>rlm_ldap: setting TLS Require Cert to never
>rlm_ldap: setting TLS Cert File to /etc/openssl/certs/cert.pem
>rlm_ldap: setting TLS Key File to /etc/openssl/certs/key.pem
>rlm_ldap: setting TLS Key File to /etc/openssl/certs/random
>rlm_ldap: bind as cn=Manager,dc=MYDOMAIN,dc=COM/password t
>o 10.0.3.2:636
>rlm_ldap: cn=Manager,dc=MYDOMAIN,dc=COM bind to 10.0.3.2:636 fail
>ed: Can't contact LDAP server
>rlm_ldap: (re)connection attempt failed
>rlm_ldap: search failed
>
>Of course if I don't set the tls mode, the connection is ok.
>
>Any hints?
>
>
>Thanks.
>
>Konstantin
>
>_
>
>Konstantin K. KABASSANOV
>
>LIP6/CNRS
>8, rue du Capitaine Scott
>75015 Paris, France
>
>Phone: +33 (0) 1 44 27 71 26
>Fax: +33 (0) 1 44 27 74 95
>
>E-mail: [EMAIL PROTECTED]
>Web: http://www.kabassanov.com
>_
>
>
>IMPORTANT! If you have tried to reply to this mail and you received a
>stupid message, announcing that the mail had been rejected as spam,
>please, resend your reply to the address above.
>
>The certificate used to sign this e-mail can be verified at:
>http://igc.services.cnrs.fr/CNRS-Standard/recherche.html
>
>"Too much is never enough." ( Me ;) )
smime.p7s
Description: S/MIME cryptographic signature