[389-users] RHDS and Radius Certificate

Andrey Ivanov andrey.ivanov at polytechnique.fr
Wed Mar 24 07:49:07 UTC 2010 

2010/3/23 Natr Brazell <natrbrazell at gmail.com>

> I think I would understand it more if I understood the following sections:
>
>                 cacertfile =  /usr/local/etc/freeradius/certs/CA_certif.crt
> (If I am doing testing how to I make this file)
>
>
>
It's the public certificate of the CA that has signed (in our case) both 389
and freeradius certificates.



> Do I really need this section.  I don't have, nor will I have any Wi-Fi and
> all users connecting in my case are on the same VLAN.
>
>         access_attr_used_for_allow = yes
>         access_attr = "X-Vlan-WiFi"
>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> No, as i told you this section is only necessary if you want to pass some
parameters from LDAP to radius. In your case you don't need this.



> Again as in the first note above.
>
>                 private_key_file = ${certdir}/<radius-server.key>
>                 certificate_file = ${certdir}/<<radius-server.crt>
>                 CA_file = ${certdir}/CA_certif.crt
> Doing an initial test without the need of an official CA.  What's the
> difference in the above 3 files and how to I generate them.  If I sound like
> a dunce, I am in this respect.  PKI is fairly new for me to configure.  I
> understand it in theory but getting all the pieces to fit is confusing.
>
These are private key and certificate of the freeradius server signed by a
CA . In our case it's the same CA as in cacertfile. In order to generate
them we use openssl, you can try tinyCA or some other web/gui manager of
PKI. It's more of certificates/PKI question than LDAP one...



>

> Thanks for the useful responses.
> N
> 2010/3/23 Andrey Ivanov <andrey.ivanov at polytechnique.fr>
>
> Hi,
>>
>> exactly the same freeradius configuration applies to RHDS and OpenLdap.
>> Depending on how you want to authenticate users you may use either
>> login/password or user certificate, both types of authentification are
>> configurable on freeradius and on RHDS.  We use freeradius with 3 master 389
>> servers and login/password (EAP-TTLS with PAP) and it works without any
>> problem. Here is an example of modules/ldap freradius config file for our
>> case :
>>
>> ldap Ldap-First {
>>         server = <ldap server fqdn>
>>         port = 389
>>         net_timeout = 2
>>         timeout = 10
>>         timelimit = 10
>>         #ldap_debug = 0xffff
>>         identity = "uid=radius,dc=example,dc=com"
>>         password = <password>
>>         ldap_connections_number = 5
>>         basedn = "ou=users,dc=example,dc=com"
>>         filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
>>         base_filter = "(objectclass=inetOrgPerson)"
>>
>>         tls {
>>                 start_tls = yes
>>                 tls_mode = no
>>                 cacertfile =
>> /usr/local/etc/freeradius/certs/CA_certif.crt
>>                 require_cert = demand
>>         }
>>
>>         access_attr_used_for_allow = yes
>>         access_attr = "X-Vlan-WiFi"
>>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>>
>>         set_auth_type = yes
>> }
>>
>>
>> Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
>> the user should be after connection. CA_certif.crt is the certif of the
>> certification authority that signed ldap's certificate (used during
>> establishing the TLS session between radius and ldap server) and radius'
>> certificate.
>>
>> The file eap.conf :
>> eap {
>>         default_eap_type = ttls
>>         timer_expire     = 60
>>         ignore_unknown_eap_types = no
>>         cisco_accounting_username_bug = no
>>         max_sessions = 2048
>>
>>         tls {
>>                 certdir = ${confdir}/certs
>>
>>                 private_key_file = ${certdir}/<radius-server.key>
>>                 certificate_file = ${certdir}/<<radius-server.crt>
>>                 CA_file = ${certdir}/CA_certif.crt
>>                 cipher_list = "DEFAULT"
>>
>>                 dh_file = ${certdir}/dh
>>                 random_file = ${certdir}/random
>>
>>                 fragment_size = 1024
>>                 include_length = yes
>>
>>         }
>>
>>         ttls {
>>                 default_eap_type = md5
>>                 copy_request_to_tunnel = yes
>>                 use_tunneled_reply = yes
>>         }
>> }
>>
>> 2010/3/22 Natr Brazell <natrbrazell at gmail.com>
>>
>>>  I am trying to configure my freeradius box to use TLS to my RHDS
>>> server.  I find many references to what to do with OpenLDAP however nothing
>>> good with RHDS or FDS.  Do I need a certificate for every user
>>> authenticating against my LDAP server through Radius or just a certificate
>>> from my Radius server to my LDAP server?  Any pointers would be most
>>> helpful.
>>>
>>> Thanks,
>>> Nate
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100324/3a6d731c/attachment.html>

More information about the 389-users mailing list