Hi,
exactly the same freeradius configuration applies to RHDS and OpenLdap.
Depending on how you want to authenticate users you may use either
login/password or user certificate, both types of authentification are
configurable on freeradius and on RHDS. We use freeradius with 3 master 389
servers and login/password (EAP-TTLS with PAP) and it works without any
problem. Here is an example of modules/ldap freradius config file for our
case :
ldap Ldap-First {
server = <ldap server fqdn>
port = 389
net_timeout = 2
timeout = 10
timelimit = 10
#ldap_debug = 0xffff
identity = "uid=radius,dc=example,dc=com"
password = <password>
ldap_connections_number = 5
basedn = "ou=users,dc=example,dc=com"
filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
base_filter = "(objectclass=inetOrgPerson)"
tls {
start_tls = yes
tls_mode = no
cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt
require_cert = demand
}
access_attr_used_for_allow = yes
access_attr = "X-Vlan-WiFi"
dictionary_mapping = ${raddbdir}/ldap.attrmap
set_auth_type = yes
}
Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
the user should be after connection. CA_certif.crt is the certif of the
certification authority that signed ldap's certificate (used during
establishing the TLS session between radius and ldap server) and radius'
certificate.
The file eap.conf :
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
private_key_file = ${certdir}/<radius-server.key>
certificate_file = ${certdir}/<<radius-server.crt>
CA_file = ${certdir}/CA_certif.crt
cipher_list = "DEFAULT"
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
2010/3/22 Natr Brazell <natrbrazell at gmail.com>
> I am trying to configure my freeradius box to use TLS to my RHDS server. I
> find many references to what to do with OpenLDAP however nothing good with
> RHDS or FDS. Do I need a certificate for every user authenticating against
> my LDAP server through Radius or just a certificate from my Radius server to
> my LDAP server? Any pointers would be most helpful.
>
> Thanks,
> Nate
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100323/a40158e3/attachment.html
