Re: [389-users] RHDS and Radius Certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

exactly the same freeradius configuration applies to RHDS and OpenLdap.  Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS.  We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our  case :

ldap Ldap-First {
        server = <ldap server fqdn>
        port = 389
        net_timeout = 2
        timeout = 10
        timelimit = 10
        #ldap_debug = 0xffff
        identity = "uid=radius,dc=example,dc=com"
        password = <password>
        ldap_connections_number = 5
        basedn = "ou=users,dc=example,dc=com"
        filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
        base_filter = "(objectclass=inetOrgPerson)"

        tls {
                start_tls = yes
                tls_mode = no
                cacertfile =  /usr/local/etc/freeradius/certs/CA_certif.crt
                require_cert = demand
        }

        access_attr_used_for_allow = yes
        access_attr = "X-Vlan-WiFi"
        dictionary_mapping = ${raddbdir}/ldap.attrmap

        set_auth_type = yes
}


Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.

The file eap.conf :
eap {
        default_eap_type = ttls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048

        tls {
                certdir = ${confdir}/certs

                private_key_file = ${certdir}/<radius-server.key>
                certificate_file = ${certdir}/<<radius-server.crt>
                CA_file = ${certdir}/CA_certif.crt
                cipher_list = "DEFAULT"

                dh_file = ${certdir}/dh
                random_file = ${certdir}/random

                fragment_size = 1024
                include_length = yes

        }

        ttls {
                default_eap_type = md5
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
        }
}

2010/3/22 Natr Brazell <natrbrazell@xxxxxxxxx>
I am trying to configure my freeradius box to use TLS to my RHDS server.  I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS.  Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server?  Any pointers would be most helpful.
 
Thanks,
Nate

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux