2010/3/23 Natr Brazell <natrbrazell@xxxxxxxxx>
I think I would understand it more if I understood the following sections:cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt (If I am doing testing how to I make this file)
It's the public certificate of the CA that has signed (in our case) both 389 and freeradius certificates.
Do I really need this section. I don't have, nor will I have any Wi-Fi and all users connecting in my case are on the same VLAN.access_attr_used_for_allow = yes
access_attr = "X-Vlan-WiFi"
dictionary_mapping = ${raddbdir}/ldap.attrmap
No, as i told you this section is only necessary if you want to pass some parameters from LDAP to radius. In your case you don't need this.
Again as in the first note above.private_key_file = ${certdir}/<radius-server.key>
certificate_file = ${certdir}/<<radius-server.crt>
CA_file = ${certdir}/CA_certif.crtDoing an initial test without the need of an official CA. What's the difference in the above 3 files and how to I generate them. If I sound like a dunce, I am in this respect. PKI is fairly new for me to configure. I understand it in theory but getting all the pieces to fit is confusing.
These are private key and certificate of the freeradius server signed by a CA . In our case it's the same CA as in cacertfile. In order to generate them we use openssl, you can try tinyCA or some other web/gui manager of PKI. It's more of certificates/PKI question than LDAP one...
Thanks for the useful responses.N2010/3/23 Andrey Ivanov <andrey.ivanov@xxxxxxxxxxxxxxxx>
Hi,
exactly the same freeradius configuration applies to RHDS and OpenLdap. Depending on how you want to authenticate users you may use either login/password or user certificate, both types of authentification are configurable on freeradius and on RHDS. We use freeradius with 3 master 389 servers and login/password (EAP-TTLS with PAP) and it works without any problem. Here is an example of modules/ldap freradius config file for our case :
ldap Ldap-First {
server = <ldap server fqdn>
port = 389
net_timeout = 2
timeout = 10
timelimit = 10
#ldap_debug = 0xffff
identity = "uid=radius,dc=example,dc=com"
password = <password>
ldap_connections_number = 5
basedn = "ou=users,dc=example,dc=com"
filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
base_filter = "(objectclass=inetOrgPerson)"
tls {
start_tls = yes
tls_mode = no
cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt
require_cert = demand
}
access_attr_used_for_allow = yes
access_attr = "X-Vlan-WiFi"
dictionary_mapping = ${raddbdir}/ldap.attrmap
set_auth_type = yes
}
Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where the user should be after connection. CA_certif.crt is the certif of the certification authority that signed ldap's certificate (used during establishing the TLS session between radius and ldap server) and radius' certificate.
The file eap.conf :
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
private_key_file = ${certdir}/<radius-server.key>
certificate_file = ${certdir}/<<radius-server.crt>
CA_file = ${certdir}/CA_certif.crt
cipher_list = "DEFAULT"
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
2010/3/22 Natr Brazell <natrbrazell@xxxxxxxxx>
--I am trying to configure my freeradius box to use TLS to my RHDS server. I find many references to what to do with OpenLDAP however nothing good with RHDS or FDS. Do I need a certificate for every user authenticating against my LDAP server through Radius or just a certificate from my Radius server to my LDAP server? Any pointers would be most helpful.Thanks,Nate
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
