[389-users] RHDS and Radius Certificate
Natr Brazell
natrbrazell at gmail.com
Tue Mar 23 16:44:35 UTC 2010
I think I would understand it more if I understood the following sections:
cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt
(If I am doing testing how to I make this file)
Do I really need this section. I don't have, nor will I have any Wi-Fi and
all users connecting in my case are on the same VLAN.
access_attr_used_for_allow = yes
access_attr = "X-Vlan-WiFi"
dictionary_mapping = ${raddbdir}/ldap.attrmap
Again as in the first note above.
private_key_file = ${certdir}/<radius-server.key>
certificate_file = ${certdir}/<<radius-server.crt>
CA_file = ${certdir}/CA_certif.crt
Doing an initial test without the need of an official CA. What's the
difference in the above 3 files and how to I generate them. If I sound like
a dunce, I am in this respect. PKI is fairly new for me to configure. I
understand it in theory but getting all the pieces to fit is confusing.
Thanks for the useful responses.
N
2010/3/23 Andrey Ivanov <andrey.ivanov at polytechnique.fr>
> Hi,
>
> exactly the same freeradius configuration applies to RHDS and OpenLdap.
> Depending on how you want to authenticate users you may use either
> login/password or user certificate, both types of authentification are
> configurable on freeradius and on RHDS. We use freeradius with 3 master 389
> servers and login/password (EAP-TTLS with PAP) and it works without any
> problem. Here is an example of modules/ldap freradius config file for our
> case :
>
> ldap Ldap-First {
> server = <ldap server fqdn>
> port = 389
> net_timeout = 2
> timeout = 10
> timelimit = 10
> #ldap_debug = 0xffff
> identity = "uid=radius,dc=example,dc=com"
> password = <password>
> ldap_connections_number = 5
> basedn = "ou=users,dc=example,dc=com"
> filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
> base_filter = "(objectclass=inetOrgPerson)"
>
> tls {
> start_tls = yes
> tls_mode = no
> cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt
> require_cert = demand
> }
>
> access_attr_used_for_allow = yes
> access_attr = "X-Vlan-WiFi"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> set_auth_type = yes
> }
>
>
> Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
> the user should be after connection. CA_certif.crt is the certif of the
> certification authority that signed ldap's certificate (used during
> establishing the TLS session between radius and ldap server) and radius'
> certificate.
>
> The file eap.conf :
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 2048
>
> tls {
> certdir = ${confdir}/certs
>
> private_key_file = ${certdir}/<radius-server.key>
> certificate_file = ${certdir}/<<radius-server.crt>
> CA_file = ${certdir}/CA_certif.crt
> cipher_list = "DEFAULT"
>
> dh_file = ${certdir}/dh
> random_file = ${certdir}/random
>
> fragment_size = 1024
> include_length = yes
>
> }
>
> ttls {
> default_eap_type = md5
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> }
> }
>
> 2010/3/22 Natr Brazell <natrbrazell at gmail.com>
>
>> I am trying to configure my freeradius box to use TLS to my RHDS
>> server. I find many references to what to do with OpenLDAP however nothing
>> good with RHDS or FDS. Do I need a certificate for every user
>> authenticating against my LDAP server through Radius or just a certificate
>> from my Radius server to my LDAP server? Any pointers would be most
>> helpful.
>>
>> Thanks,
>> Nate
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100323/c27ddd00/attachment.html>
More information about the 389-users
mailing list