(RADIATOR) SSLCAClientKey

Mike McCauley mikem at open.com.au
Mon Apr 11 17:06:17 CDT 2005 

Hello Ryan,


On Monday 11 April 2005 22:39, Ryan Moore wrote:
> Thanks to a lot of imformative posts on this list, I'm close to a
> LEAP/Cisco WAP/OpenLDAP setup. One last thing (I hope)...I'm having some
> problems with the Radiator doc. Specifically the LDAP AuthBy SSL section.
>
> ------->    # Name of the client certificate file:
> ------->    SSLCAClientCert /path/to/client/certificate.pem
>
> Okay, so this isn't really the "client cert" right? This is the server
> cert copied locally to the Radiator server and is the cert for the LDAP
> server's public key. I think.
No, it is the client certificate that will be used to authentiate Radiator to 
the LDAP server (if your LDap server requires that). Radiator acts as an LDAP 
client, and the certificate is intended to prove its rights to connect to the 
LDAP server. The LDAP server will validate the client certificate that 
Radiator sends to it (if so configured).

>
> ------->    # Name of the file containing the client private key
> ------->    SSLCAClientKey /path/to/client/keyfile.pem
>
> Uh.....what's this for?  Shouldn't Radiator just need the LDAP CA
> certificate and the server cert? Surely this can't refer to the LDAP
> server's private key. I can to LDAPsearch now using TLS just fine, and
> all it needs is the CA cert.

This is the file that contains the private key that matches the client 
certificate. It may or may not be a different file to the one containing the 
client certificate.

>
> ------->    # only need to set one of the following
> ------->    #SSLCAPath /path/to/CA/cert/dir
> ------->    SSLCAFile /path/to/file/containing/certificate/of/CA.pem
>
> Why are there two different parameters here? Can the SSLCAPath refer to
> a http folder on the CA server? This isn't really important to me, I've
> already copied the CA cert locally and can point to it.

These parameters allow you to specifiy the location of the root certificate 
that will be used by Radiator to verify the LDAP server's server certificate. 
You may only need to connect to a single LDAP server, in which case you would 
only need a singe root certificate (the root certificate of the CA that 
issued the LDAP server's server certificate), and you would specify that with 
SSLCAFile . 

On the other hand you may connect to multiple LDAP servers and require 
multiple root certifciates. In that case you would use SSLCAPath to name the 
path to a directory that contains all the root certificates. The root 
certificate files need to comply with a special naming convention for this to 
work.

Lots of words there, trying to be as explanatory as I can. Hope it helps.

Cheers.



>
> I feel like there is something really obvious I'm missing here. so I'll
> welcome any flaming.
>
> - Ryan
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list