Hello,
With an assumption you are using a CA chain, we recommend you to please follow the steps below to integrate the AD with your YubiRADIUS setup:
Please put the the following entries to the "LDAP Certificate" text box under "Users Import" tab:
We recommend you please extract the full certificate string starting from "-------BEGIN CERTIFICATE----------" tag and ending with "--------END CERTIFICATE---------" tag.
Also make the following changes to /etc/ldap/ldap.conf file.
Please comment the following lines :
#TLS_CACERTDIR /etc/ssl/certs
Remove comment from the follwing line:
TLS_CACERTDIR /etc/ssl/yubico-RoP
Test the YubiRADIUS by using following steps:
Go to YubiRADIUS >> create new domain >> select that domain >> click on "User Import" tab >> select the "Use Secure Connection option" to "Yes" >> enter the extracted certificate in "Ldap certificate" field >> enter the remaining credentials on that page >> click on "Import Users" button.
FYI,
You can check whether the SSL connection is working and see what is happening by issuing the command:
$ openssl s_client -connect <ip>:636 -CApath /etc/ssl/certs
To test whether the SSL connection is working correctly with LDAP, try the following command:
$ ldapsearch -x -H
ldaps://ads.domain.com -b <BASEDN> -D <binddn> -w <password>
If ldapsearch fails, while the s_client test returns with 'Verify return code 0 (ok)', please make sure that the URL you are connecting with after the -H option contains the exact same hostname as is specified behind CN= in the output of s_client (at the very beginning of the output from s_client).
Hope this helps.
Thanks and best regards,
Samir.
Login
FAQ
Search
