<div>Thanks,</div>
<div> </div>
<div>I'll keep working it.</div>
<div> </div>
<div>N<br><br></div>
<div class="gmail_quote">2010/3/24 Andrey Ivanov <span dir="ltr"><<a href="mailto:andrey.ivanov@polytechnique.fr">andrey.ivanov@polytechnique.fr</a>></span><br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote"><br><br>
<div class="gmail_quote">2010/3/23 Natr Brazell <span dir="ltr"><<a href="mailto:natrbrazell@gmail.com" target="_blank">natrbrazell@gmail.com</a>></span>
<div class="im"><br>
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>I think I would understand it more if I understood the following sections:</div>
<div> </div>
<div> cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to I make this file)</div>
<div> </div>
<div> </div></blockquote></div>
<div>It's the public certificate of the CA that has signed (in our case) both 389 and freeradius certificates.<br><br> </div>
<div class="im">
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>Do I really need this section. I don't have, nor will I have any Wi-Fi and all users connecting in my case are on the same VLAN.</div>
<div>
<div> </div>
<div> access_attr_used_for_allow = yes<br> access_attr = "X-Vlan-WiFi"<br> dictionary_mapping = ${raddbdir}/ldap.attrmap<br></div></div>
<div><br></div></blockquote></div>
<div>No, as i told you this section is only necessary if you want to pass some parameters from LDAP to radius. In your case you don't need this.<br><br> </div>
<div class="im">
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>Again as in the first note above.</div>
<div>
<div> </div>
<div> private_key_file = ${certdir}/<radius-server.key><br> certificate_file = ${certdir}/<<radius-server.crt><br> CA_file = ${certdir}/CA_certif.crt<br></div></div>
<div>Doing an initial test without the need of an official CA. What's the difference in the above 3 files and how to I generate them. If I sound like a dunce, I am in this respect. PKI is fairly new for me to configure. I understand it in theory but getting all the pieces to fit is confusing.<br>
</div></blockquote></div>
<div>These are private key and certificate of the freeradius server signed by a CA . In our case it's the same CA as in cacertfile. In order to generate them we use openssl, you can try tinyCA or some other web/gui manager of PKI. It's more of certificates/PKI question than LDAP one...<br>
<br><br></div>
<div>
<div></div>
<div class="h5">
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div> </div></blockquote>
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div> </div>
<div>Thanks for the useful responses.</div>
<div>N</div>
<div class="gmail_quote">2010/3/23 Andrey Ivanov <span dir="ltr"><<a href="mailto:andrey.ivanov@polytechnique.fr" target="_blank">andrey.ivanov@polytechnique.fr</a>></span>
<div>
<div></div>
<div><br>
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hi,<br><br>exactly the same freeradius configuration applies to RHDS and OpenLdap. Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS. We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our case :<br>
<br>ldap Ldap-First {<br> server = <ldap server fqdn><br> port = 389<br> net_timeout = 2<br> timeout = 10<br> timelimit = 10<br> #ldap_debug = 0xffff<br> identity = "uid=radius,dc=example,dc=com"<br>
password = <password><br> ldap_connections_number = 5<br> basedn = "ou=users,dc=example,dc=com"<br> filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"<br>
base_filter = "(objectclass=inetOrgPerson)"<br><br> tls { <br> start_tls = yes<br> tls_mode = no<br> cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt<br>
require_cert = demand<br> }<br><br> access_attr_used_for_allow = yes<br> access_attr = "X-Vlan-WiFi"<br> dictionary_mapping = ${raddbdir}/ldap.attrmap<br><br> set_auth_type = yes<br>
}<br><br><br>Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.<br>
<br>The file eap.conf :<br>eap {<br> default_eap_type = ttls<br> timer_expire = 60<br> ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> max_sessions = 2048<br>
<br> tls {<br> certdir = ${confdir}/certs<br><br> private_key_file = ${certdir}/<radius-server.key><br> certificate_file = ${certdir}/<<radius-server.crt><br>
CA_file = ${certdir}/CA_certif.crt<br> cipher_list = "DEFAULT"<br><br> dh_file = ${certdir}/dh<br> random_file = ${certdir}/random<br><br> fragment_size = 1024<br>
include_length = yes<br><br> }<br><br> ttls {<br> default_eap_type = md5<br> copy_request_to_tunnel = yes<br> use_tunneled_reply = yes<br> }<br>
}<br><br>
<div class="gmail_quote">2010/3/22 Natr Brazell <span dir="ltr"><<a href="mailto:natrbrazell@gmail.com" target="_blank">natrbrazell@gmail.com</a>></span><br>
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>
<div>I am trying to configure my freeradius box to use TLS to my RHDS server. I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS. Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server? Any pointers would be most helpful.</div>
<div> </div>
<div>Thanks,</div>
<div>Nate</div><br></div>--<br>389 users mailing list<br><a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote></div><br><br>--<br>389 users mailing list<br><a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote></div></div></div><br><br>--<br>389 users mailing list<br><a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote></div></div></div><br><br>--<br>389 users mailing list<br><a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote></div><br>