Re: [389-users] RHDS and Radius Certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





2010/3/23 Natr Brazell <natrbrazell@xxxxxxxxx>
I think I would understand it more if I understood the following sections:
 
                cacertfile =  /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to I make this file)
 
 
It's the public certificate of the CA that has signed (in our case) both 389 and freeradius certificates.

 
Do I really need this section.  I don't have, nor will I have any Wi-Fi and all users connecting in my case are on the same VLAN.
 
        access_attr_used_for_allow = yes
        access_attr = "X-Vlan-WiFi"
        dictionary_mapping = ${raddbdir}/ldap.attrmap

No, as i told you this section is only necessary if you want to pass some parameters from LDAP to radius. In your case you don't need this.

 
Again as in the first note above.
 
                private_key_file = ${certdir}/<radius-server.key>
                certificate_file = ${certdir}/<<radius-server.crt>
                CA_file = ${certdir}/CA_certif.crt
Doing an initial test without the need of an official CA.  What's the difference in the above 3 files and how to I generate them.  If I sound like a dunce, I am in this respect.  PKI is fairly new for me to configure.  I understand it in theory but getting all the pieces to fit is confusing.
These are private key and certificate of the freeradius server signed by a CA . In our case it's the same CA as in cacertfile. In order to generate them we use openssl, you can try tinyCA or some other web/gui manager of PKI. It's more of certificates/PKI question than LDAP one...


 
 
Thanks for the useful responses.
N
2010/3/23 Andrey Ivanov <andrey.ivanov@xxxxxxxxxxxxxxxx>

Hi,

exactly the same freeradius configuration applies to RHDS and OpenLdap.  Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS.  We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our  case :

ldap Ldap-First {
        server = <ldap server fqdn>
        port = 389
        net_timeout = 2
        timeout = 10
        timelimit = 10
        #ldap_debug = 0xffff
        identity = "uid=radius,dc=example,dc=com"
        password = <password>
        ldap_connections_number = 5
        basedn = "ou=users,dc=example,dc=com"
        filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
        base_filter = "(objectclass=inetOrgPerson)"

        tls {
                start_tls = yes
                tls_mode = no
                cacertfile =  /usr/local/etc/freeradius/certs/CA_certif.crt
                require_cert = demand
        }

        access_attr_used_for_allow = yes
        access_attr = "X-Vlan-WiFi"
        dictionary_mapping = ${raddbdir}/ldap.attrmap

        set_auth_type = yes
}


Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.

The file eap.conf :
eap {
        default_eap_type = ttls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048

        tls {
                certdir = ${confdir}/certs

                private_key_file = ${certdir}/<radius-server.key>
                certificate_file = ${certdir}/<<radius-server.crt>
                CA_file = ${certdir}/CA_certif.crt
                cipher_list = "DEFAULT"

                dh_file = ${certdir}/dh
                random_file = ${certdir}/random

                fragment_size = 1024
                include_length = yes

        }

        ttls {
                default_eap_type = md5
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
        }
}

2010/3/22 Natr Brazell <natrbrazell@xxxxxxxxx>
I am trying to configure my freeradius box to use TLS to my RHDS server.  I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS.  Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server?  Any pointers would be most helpful.
 
Thanks,
Nate

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux