[389-users] RHDS and Radius Certificate

Natr Brazell natrbrazell at gmail.com
Wed Mar 24 12:15:47 UTC 2010 

Thanks,

I'll keep working it.

N

2010/3/24 Andrey Ivanov <andrey.ivanov at polytechnique.fr>

>
>
> 2010/3/23 Natr Brazell <natrbrazell at gmail.com>
>
>  I think I would understand it more if I understood the following
>> sections:
>>
>>                 cacertfile =
>> /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to
>> I make this file)
>>
>>
>>
> It's the public certificate of the CA that has signed (in our case) both
> 389 and freeradius certificates.
>
>
>
>> Do I really need this section.  I don't have, nor will I have any Wi-Fi
>> and all users connecting in my case are on the same VLAN.
>>
>>         access_attr_used_for_allow = yes
>>         access_attr = "X-Vlan-WiFi"
>>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>>
>> No, as i told you this section is only necessary if you want to pass some
> parameters from LDAP to radius. In your case you don't need this.
>
>
>
>> Again as in the first note above.
>>
>>                 private_key_file = ${certdir}/<radius-server.key>
>>                 certificate_file = ${certdir}/<<radius-server.crt>
>>                 CA_file = ${certdir}/CA_certif.crt
>> Doing an initial test without the need of an official CA.  What's the
>> difference in the above 3 files and how to I generate them.  If I sound like
>> a dunce, I am in this respect.  PKI is fairly new for me to configure.  I
>> understand it in theory but getting all the pieces to fit is confusing.
>>
> These are private key and certificate of the freeradius server signed by a
> CA . In our case it's the same CA as in cacertfile. In order to generate
> them we use openssl, you can try tinyCA or some other web/gui manager of
> PKI. It's more of certificates/PKI question than LDAP one...
>
>
>
>>
>
>> Thanks for the useful responses.
>> N
>> 2010/3/23 Andrey Ivanov <andrey.ivanov at polytechnique.fr>
>>
>> Hi,
>>>
>>> exactly the same freeradius configuration applies to RHDS and OpenLdap.
>>> Depending on how you want to authenticate users you may use either
>>> login/password or user certificate, both types of authentification are
>>> configurable on freeradius and on RHDS.  We use freeradius with 3 master 389
>>> servers and login/password (EAP-TTLS with PAP) and it works without any
>>> problem. Here is an example of modules/ldap freradius config file for our
>>> case :
>>>
>>> ldap Ldap-First {
>>>         server = <ldap server fqdn>
>>>         port = 389
>>>         net_timeout = 2
>>>         timeout = 10
>>>         timelimit = 10
>>>         #ldap_debug = 0xffff
>>>         identity = "uid=radius,dc=example,dc=com"
>>>         password = <password>
>>>         ldap_connections_number = 5
>>>         basedn = "ou=users,dc=example,dc=com"
>>>         filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
>>>         base_filter = "(objectclass=inetOrgPerson)"
>>>
>>>         tls {
>>>                 start_tls = yes
>>>                 tls_mode = no
>>>                 cacertfile =
>>> /usr/local/etc/freeradius/certs/CA_certif.crt
>>>                 require_cert = demand
>>>         }
>>>
>>>         access_attr_used_for_allow = yes
>>>         access_attr = "X-Vlan-WiFi"
>>>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>>>
>>>         set_auth_type = yes
>>> }
>>>
>>>
>>> Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
>>> the user should be after connection. CA_certif.crt is the certif of the
>>> certification authority that signed ldap's certificate (used during
>>> establishing the TLS session between radius and ldap server) and radius'
>>> certificate.
>>>
>>> The file eap.conf :
>>> eap {
>>>         default_eap_type = ttls
>>>         timer_expire     = 60
>>>         ignore_unknown_eap_types = no
>>>         cisco_accounting_username_bug = no
>>>         max_sessions = 2048
>>>
>>>         tls {
>>>                 certdir = ${confdir}/certs
>>>
>>>                 private_key_file = ${certdir}/<radius-server.key>
>>>                 certificate_file = ${certdir}/<<radius-server.crt>
>>>                 CA_file = ${certdir}/CA_certif.crt
>>>                 cipher_list = "DEFAULT"
>>>
>>>                 dh_file = ${certdir}/dh
>>>                 random_file = ${certdir}/random
>>>
>>>                 fragment_size = 1024
>>>                 include_length = yes
>>>
>>>         }
>>>
>>>         ttls {
>>>                 default_eap_type = md5
>>>                 copy_request_to_tunnel = yes
>>>                 use_tunneled_reply = yes
>>>         }
>>> }
>>>
>>> 2010/3/22 Natr Brazell <natrbrazell at gmail.com>
>>>
>>>>  I am trying to configure my freeradius box to use TLS to my RHDS
>>>> server.  I find many references to what to do with OpenLDAP however nothing
>>>> good with RHDS or FDS.  Do I need a certificate for every user
>>>> authenticating against my LDAP server through Radius or just a certificate
>>>> from my Radius server to my LDAP server?  Any pointers would be most
>>>> helpful.
>>>>
>>>> Thanks,
>>>> Nate
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100324/358542f5/attachment.html>

More information about the 389-users mailing list