On 04/09/2013 03:44 AM, pramod kulkarni wrote:
Hi, I am working on RADIUS with LDAP as backend for authenticating users. I configured rlm_ldap on RADIUS server with username and plaintext password and I am able to authenticate RADIUS client using LDAP.
There is a difference between using LDAP as a backend datastore (lookup passwords and password hashes after binding as a service) and using LDAP as a authentication oracle (binding as the user to determine if the user is authenticated depending on the bind result). From above it sounds like you've configured LDAP as a backend datastore.
But I want to configure RADIUS server with certificates instead of using usernames and passwords. Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server. Waiting for your inputs. Thanks and Regards,
You can't with the current rlm_ldap module bind to the LDAP server with anything other than a (username, password) pair, either for lookups or for authentication testing (only ldap_connect and ldap_simple_bind are supported).
However, rlm_ldap does support SSL/TLS connections to the LDAP server and you can specify that you want the LDAP server to request a client cert when establishing the connection. But ultimately you're still doing a simple bind albeit in a secure tunnel. If you specify you want the LDAP server to require a client cert then you effectively have two simultaneous authtication mechanisms in play (TLS for the tunnel and simple auth inside the tunnel). Setting up TLS auth is straight forward (see the options in raddb/modules/ldap) *except* for the fact the ldap library routines to set the require cert option are buggy (rlm_ldap uses the wrong entry point which may not be supported and the openldap library also has bugs, I think we've now got all these fixed and patches sent upstream to openldap, but you should be aware there is an reasonable chance it won't work on your distribution unless you've got patched libraries).
Even if SASL binds were supported you wouldn't want to use SASL binds for user authentication (if that was what you were asking, it's not clear from your original post). For user authentication based on certificates you would use EAP-TLS.
A long time ago I had a patch for using SASL binds, but it was against the old 1.1.7 version of rlm_ldap and it only supported GSSAPI.
HTH, John -- John Dennis <jden...@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
