[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + RADIUS + SSL

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: LDAP + RADIUS + SSL
From: Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br>
Date: Fri, 14 Jan 2005 09:05:03 -0300 (EasT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <m3y8ewuya4.fsf@marin.l4b.de>

  I am listing my steps....

- I am doing this steps:
% openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 

% mkdir /var/myca
% cd /var/myca/ 
% /usr/share/ssl/misc/CA.sh -newca

% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 

% /usr/share/ssl/misc/CA.sh -sign 

% cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem 
% mv newcert.pem /usr/var/openldap-data/servercrt.pem 
% mv newreq.pem /usr/var/openldap-data/serverkey.pem 
% chmod 400 /usr/var/openldap-data/serverkey.pem 



- I created certs to my client:
% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 
% /usr/share/ssl/misc/CA.sh -sign 

% cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem 
% mv newcert.pem /usr/var/openldap-data/servercrt.pem 
% mv newreq.pem /usr/var/openldap-data/serverkey.pem 
% chmod 400 /usr/var/openldap-data/serverkey.pem 


% mv newcert.pem /home/user/certs/ldap.client.pem 
% mv newreq.pem /home/user/certs/keys/ldap.client.key.pem 
% chmod 400 /home/user/certs/keys/ldap.client.key.pem 



- In my slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /tmp/ssl/SSL/cacert.pem
TLSCertificateFile /tmp/ssl/SSL/servercrt.pem
TLSCertificateKeyFile /tmp/ssl/SSL/serverkey.pem



- Im my radiusd.conf:
		start_tls=no
                tls_cacertfile = /tmp/ssl/SSL/cacert.pem
                tls_cacertdir = /tmp/ssl/SSL
                port=636
                #tls_certfile = /tmp/ssl/SSL/ldap.client.pem
                #tls_keyfile = /tmp/ssl/SSL/ldap.client.key.pem




- I make a test with this config below:
                start_tls=no
                tls_cacertfile = /tmp/ssl/SSL/cacert.pem
                tls_cacertdir = /tmp/ssl/SSL
                port=636
                tls_certfile = /tmp/ssl/SSL/ldap.client.pem
                tls_keyfile = /tmp/ssl/SSL/ldap.client.key.pem








On Fri, 14 Jan 2005, Dieter Kluenter wrote:

> Anderson Alves de Albuquerque <anderson@belem.voip.nce.ufrj.br> writes:
> 
> >   I use my RADIUS make authentication in LDAP server, but I have a 
> > problema that I describe below.
> >
> >   I created the certificates with 
> > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my
> >  radiusd.conf the configs below, but I have problems. 
> 
> [...]
> > tls_read: want=5, got=5
> >   0000:  15 03 01 00 02                                     .....
> > tls_read: want=2, got=2
> >   0000:  02 30                                              .0
> > TLS: can't accept.
> > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> > /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052
> > ^Cslapd shutdown: waiting for 0 threads to terminate
> > slapd stopped.
> 
> You did not describe how you created your certificates, but the log
> clearly says that the CA is unknown. This is a good document on
> creating certificates
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> 
> -Dieter
> 
>

Follow-Ups:
- Re: LDAP + RADIUS + SSL
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: LDAP + RADIUS + SSL
  - From: Samuel Tran <stran@amnh.org>

References:
- Re: LDAP + RADIUS + SSL
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: LDAP + RADIUS + SSL
Next by Date: OpenLDAP+Oracle10g
Index(es):
- Chronological
- Thread