I'm already looking at that section, but it doesn't say what the cert should be. This is the only relevant section and does not answer my question.
What is the SSLCAClientCert? Is it supposed to be the same certificate as what is on the ldap server? I have tried creating a self signed cert and placing it in the config, but the connection always errors with no detail other than Mon Jul 19 15:51:50 2010: DEBUG: Handling with Radius::AuthLDAP2: CheckAD Mon Jul 19 15:51:50 2010: INFO: Connecting to blablabla.com:636 Mon Jul 19 15:51:50 2010: ERR: Could not open LDAP connection to blablabla.com:636. Backing off for 600 seconds. Mon Jul 19 15:51:50 2010: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error ---From ref.pdf--- For AuthBy LDAP2, you also need to specify some additional parameters describing the location of certificate and private key files. # LDAP2: Enable SSL and tell it where to find certificates UseSSL # Name of the client certificate file: SSLCAClientCert /path/to/client/certificate.pem # Name of the file containing the client private key SSLCAClientKey /path/to/client/keyfile.pem # only need to set one of the following #SSLCAPath /path/to/CA/cert/dir SSLCAFile /path/to/file/containing/certificate/of/CA.pem Hint: You only need to set one of SSLCAFile or SSLCAPath, not both. Hint: All LDAP2 certificates are required to be in PEM format. Hint: If both UseSSL and UseTLS are specified, SSL will be used. -----Original Message----- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Monday, July 19, 2010 4:00 PM To: Mark Bassett Cc: radiator@open.com.au Subject: Re: [RADIATOR] LDAPS Certificate questions with AuthBy LDAP2 Hello Mark - See sections 5.36.3 and 5.36.4 in the Radiator 4.6 reference manual ("doc/ref.pdf"). regards Hugh On 20 Jul 2010, at 08:42, Mark Bassett wrote: > My question is in regards to the SSLCAClientCert and SSLCAClientKey parameters. What certificate files is it looking for? I have the CA cert in /etc/openldap/cacerts. > > Do I just need to generate a local certificate for the radiator server to use and provide it's pem and key files? > > It's currently working now with SSLVerify none, but I would like to require verification. > > <AuthBy LDAP2> > Identifier CheckAD > Host blablablaa > > #SSLeayTrace 4 > #Debug 255 > Version 3 > # Microsoft AD also listens on port 3268, and > # requests received on that port are reported to be > # more compliant with standfard LDAP, so you may want to use: > Port 636 > UseSSL > SSLVerify none > SSLCAPath /etc/openldap/cacerts > AuthDN CN=BlaBlaBla,DC=com > # AuthPassword yourADadminpasswordhere > AuthPassword BLAHBLAH > BaseDN dc=blah,dc=com > ServerChecksPassword > UsernameAttr sAMAccountName > #PasswordAttr userPassword > #AuthAttrDef logonHours,MS-Login-Hours,check > </AuthBy> > > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
