TLS + radius.conf



  • Hi,

    Where does the cert manager store the cacert.pem that I have uploaded via the GUI?

    Where can I find and edit radius.conf?  The GUI does not seem to have an option to set "start_tls = yes"

    I have tested using ldapsearch at the command prompt, and it is complaining about a self-signed certificate in the chain.  Is that because it cannot locate the correct TLS_CACERT path?

    Regards,
    Rob.



  • Solved.

    Quick answer: Edit the file /usr/local/pkg/freeradius.inc to comment out the below settings lines, and reboot:

    (found in the freeradius_modulesldap_resync section)

    
    		cacertdir = {$raddb}/certs/
    		certfile = {$raddb}/certs/radius_ldap1_cert.crt
    		keyfile = {$raddb}/certs/radius_ldap1_cert.key
    
    

    Explanation:

    Testing the ldaps connection via ldapsearch always failed due to the "self-signed certificate in chain" error.  When I tested the certificate with "openssl s_client -connect server:636", I got the same error.

    I then added the option "-CAfile /usr/local/etc/raddb/certs/ca_ldap1_cert.pem" in, and it tested fine (for this to work, you must at some point have set the CA cert in the GUI under the LDAP->TLS options to the relevent cert in the Cert Manager; otherwise the .inc script will not have copied the contents to this cert file).

    I realised that the radius.conf include file for the LDAP settings (located at: /usr/local/etc/raddb/modules/ldap) was ignoring the line for the cacertfile.  Some digging around online suggested that the other "CA*" options can interfere with the setup when performing TLS over ldap:/// connections.

    So I commented them out, and behold, it worked.  Upon reboot, the comments were removed, so you actually have to edit the freeradius.inc file to ensure the comments get re-applied each time.

    Clearly the author had some notion of this, as he has notes on the GUI saying to leave the options at "None", however the freeradius.inc script still includes the above lines in the .conf output whether you have set them to "None" or not.  This is probably a bug.

    --

    In answer to the start_tls question, the freeradius.inc file does indeed correlate the tick box in the GUI to that option, so I am now using port 389 as expected.

    And in answer to the ldap.conf issue, the ldap tools on pfSense have no default configuration setup in the .conf file.

    Regards,
    Rob.



  • @peridian:

    So I commented them out, and behold, it worked.  Upon reboot, the comments were removed, so you actually have to edit the freeradius.inc file to ensure the comments get re-applied each time.

    Clearly the author had some notion of this, as he has notes on the GUI saying to leave the options at "None", however the freeradius.inc script still includes the above lines in the .conf output whether you have set them to "None" or not.  This is probably a bug.

    Sorry for revive this thread but this bug already exist… Any chance to get a fix?

    Thanks for your work.


Log in to reply