Thanks,
I'll keep working it.
N
2010/3/24 Andrey Ivanov <andrey.ivanov at polytechnique.fr>
>
>
> 2010/3/23 Natr Brazell <natrbrazell at gmail.com>
>
> I think I would understand it more if I understood the following
>> sections:
>>
>> cacertfile =
>> /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to
>> I make this file)
>>
>>
>>
> It's the public certificate of the CA that has signed (in our case) both
> 389 and freeradius certificates.
>
>
>
>> Do I really need this section. I don't have, nor will I have any Wi-Fi
>> and all users connecting in my case are on the same VLAN.
>>
>> access_attr_used_for_allow = yes
>> access_attr = "X-Vlan-WiFi"
>> dictionary_mapping = ${raddbdir}/ldap.attrmap
>>
>> No, as i told you this section is only necessary if you want to pass some
> parameters from LDAP to radius. In your case you don't need this.
>
>
>
>> Again as in the first note above.
>>
>> private_key_file = ${certdir}/<radius-server.key>
>> certificate_file = ${certdir}/<<radius-server.crt>
>> CA_file = ${certdir}/CA_certif.crt
>> Doing an initial test without the need of an official CA. What's the
>> difference in the above 3 files and how to I generate them. If I sound like
>> a dunce, I am in this respect. PKI is fairly new for me to configure. I
>> understand it in theory but getting all the pieces to fit is confusing.
>>
> These are private key and certificate of the freeradius server signed by a
> CA . In our case it's the same CA as in cacertfile. In order to generate
> them we use openssl, you can try tinyCA or some other web/gui manager of
> PKI. It's more of certificates/PKI question than LDAP one...
>
>
>
>>
>
>> Thanks for the useful responses.
>> N
>> 2010/3/23 Andrey Ivanov <andrey.ivanov at polytechnique.fr>
>>
>> Hi,
>>>
>>> exactly the same freeradius configuration applies to RHDS and OpenLdap.
>>> Depending on how you want to authenticate users you may use either
>>> login/password or user certificate, both types of authentification are
>>> configurable on freeradius and on RHDS. We use freeradius with 3 master 389
>>> servers and login/password (EAP-TTLS with PAP) and it works without any
>>> problem. Here is an example of modules/ldap freradius config file for our
>>> case :
>>>
>>> ldap Ldap-First {
>>> server = <ldap server fqdn>
>>> port = 389
>>> net_timeout = 2
>>> timeout = 10
>>> timelimit = 10
>>> #ldap_debug = 0xffff
>>> identity = "uid=radius,dc=example,dc=com"
>>> password = <password>
>>> ldap_connections_number = 5
>>> basedn = "ou=users,dc=example,dc=com"
>>> filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
>>> base_filter = "(objectclass=inetOrgPerson)"
>>>
>>> tls {
>>> start_tls = yes
>>> tls_mode = no
>>> cacertfile =
>>> /usr/local/etc/freeradius/certs/CA_certif.crt
>>> require_cert = demand
>>> }
>>>
>>> access_attr_used_for_allow = yes
>>> access_attr = "X-Vlan-WiFi"
>>> dictionary_mapping = ${raddbdir}/ldap.attrmap
>>>
>>> set_auth_type = yes
>>> }
>>>
>>>
>>> Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
>>> the user should be after connection. CA_certif.crt is the certif of the
>>> certification authority that signed ldap's certificate (used during
>>> establishing the TLS session between radius and ldap server) and radius'
>>> certificate.
>>>
>>> The file eap.conf :
>>> eap {
>>> default_eap_type = ttls
>>> timer_expire = 60
>>> ignore_unknown_eap_types = no
>>> cisco_accounting_username_bug = no
>>> max_sessions = 2048
>>>
>>> tls {
>>> certdir = ${confdir}/certs
>>>
>>> private_key_file = ${certdir}/<radius-server.key>
>>> certificate_file = ${certdir}/<<radius-server.crt>
>>> CA_file = ${certdir}/CA_certif.crt
>>> cipher_list = "DEFAULT"
>>>
>>> dh_file = ${certdir}/dh
>>> random_file = ${certdir}/random
>>>
>>> fragment_size = 1024
>>> include_length = yes
>>>
>>> }
>>>
>>> ttls {
>>> default_eap_type = md5
>>> copy_request_to_tunnel = yes
>>> use_tunneled_reply = yes
>>> }
>>> }
>>>
>>> 2010/3/22 Natr Brazell <natrbrazell at gmail.com>
>>>
>>>> I am trying to configure my freeradius box to use TLS to my RHDS
>>>> server. I find many references to what to do with OpenLDAP however nothing
>>>> good with RHDS or FDS. Do I need a certificate for every user
>>>> authenticating against my LDAP server through Radius or just a certificate
>>>> from my Radius server to my LDAP server? Any pointers would be most
>>>> helpful.
>>>>
>>>> Thanks,
>>>> Nate
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100324/358542f5/attachment.html
