[389-users] RHDS and Radius Certificate
Andrey Ivanov
andrey.ivanov at polytechnique.fr
Wed Mar 24 07:49:07 UTC 2010
2010/3/23 Natr Brazell <natrbrazell at gmail.com>
> I think I would understand it more if I understood the following sections:
>
> cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt
> (If I am doing testing how to I make this file)
>
>
>
It's the public certificate of the CA that has signed (in our case) both 389
and freeradius certificates.
> Do I really need this section. I don't have, nor will I have any Wi-Fi and
> all users connecting in my case are on the same VLAN.
>
> access_attr_used_for_allow = yes
> access_attr = "X-Vlan-WiFi"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> No, as i told you this section is only necessary if you want to pass some
parameters from LDAP to radius. In your case you don't need this.
> Again as in the first note above.
>
> private_key_file = ${certdir}/<radius-server.key>
> certificate_file = ${certdir}/<<radius-server.crt>
> CA_file = ${certdir}/CA_certif.crt
> Doing an initial test without the need of an official CA. What's the
> difference in the above 3 files and how to I generate them. If I sound like
> a dunce, I am in this respect. PKI is fairly new for me to configure. I
> understand it in theory but getting all the pieces to fit is confusing.
>
These are private key and certificate of the freeradius server signed by a
CA . In our case it's the same CA as in cacertfile. In order to generate
them we use openssl, you can try tinyCA or some other web/gui manager of
PKI. It's more of certificates/PKI question than LDAP one...
>
> Thanks for the useful responses.
> N
> 2010/3/23 Andrey Ivanov <andrey.ivanov at polytechnique.fr>
>
> Hi,
>>
>> exactly the same freeradius configuration applies to RHDS and OpenLdap.
>> Depending on how you want to authenticate users you may use either
>> login/password or user certificate, both types of authentification are
>> configurable on freeradius and on RHDS. We use freeradius with 3 master 389
>> servers and login/password (EAP-TTLS with PAP) and it works without any
>> problem. Here is an example of modules/ldap freradius config file for our
>> case :
>>
>> ldap Ldap-First {
>> server = <ldap server fqdn>
>> port = 389
>> net_timeout = 2
>> timeout = 10
>> timelimit = 10
>> #ldap_debug = 0xffff
>> identity = "uid=radius,dc=example,dc=com"
>> password = <password>
>> ldap_connections_number = 5
>> basedn = "ou=users,dc=example,dc=com"
>> filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
>> base_filter = "(objectclass=inetOrgPerson)"
>>
>> tls {
>> start_tls = yes
>> tls_mode = no
>> cacertfile =
>> /usr/local/etc/freeradius/certs/CA_certif.crt
>> require_cert = demand
>> }
>>
>> access_attr_used_for_allow = yes
>> access_attr = "X-Vlan-WiFi"
>> dictionary_mapping = ${raddbdir}/ldap.attrmap
>>
>> set_auth_type = yes
>> }
>>
>>
>> Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
>> the user should be after connection. CA_certif.crt is the certif of the
>> certification authority that signed ldap's certificate (used during
>> establishing the TLS session between radius and ldap server) and radius'
>> certificate.
>>
>> The file eap.conf :
>> eap {
>> default_eap_type = ttls
>> timer_expire = 60
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> max_sessions = 2048
>>
>> tls {
>> certdir = ${confdir}/certs
>>
>> private_key_file = ${certdir}/<radius-server.key>
>> certificate_file = ${certdir}/<<radius-server.crt>
>> CA_file = ${certdir}/CA_certif.crt
>> cipher_list = "DEFAULT"
>>
>> dh_file = ${certdir}/dh
>> random_file = ${certdir}/random
>>
>> fragment_size = 1024
>> include_length = yes
>>
>> }
>>
>> ttls {
>> default_eap_type = md5
>> copy_request_to_tunnel = yes
>> use_tunneled_reply = yes
>> }
>> }
>>
>> 2010/3/22 Natr Brazell <natrbrazell at gmail.com>
>>
>>> I am trying to configure my freeradius box to use TLS to my RHDS
>>> server. I find many references to what to do with OpenLDAP however nothing
>>> good with RHDS or FDS. Do I need a certificate for every user
>>> authenticating against my LDAP server through Radius or just a certificate
>>> from my Radius server to my LDAP server? Any pointers would be most
>>> helpful.
>>>
>>> Thanks,
>>> Nate
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100324/3a6d731c/attachment.html>
More information about the 389-users
mailing list