[RADIATOR] LDAPS Certificate questions with AuthBy LDAP2
Mark Bassett
mbassett at intelius.com
Mon Jul 19 18:08:18 CDT 2010
I'm already looking at that section, but it doesn't say what the cert
should be. This is the only relevant section and does not answer my
question.
What is the SSLCAClientCert? Is it supposed to be the same certificate
as what is on the ldap server? I have tried creating a self signed cert
and placing it in the config, but the connection always errors with no
detail other than
Mon Jul 19 15:51:50 2010: DEBUG: Handling with Radius::AuthLDAP2:
CheckAD
Mon Jul 19 15:51:50 2010: INFO: Connecting to blablabla.com:636
Mon Jul 19 15:51:50 2010: ERR: Could not open LDAP connection to
blablabla.com:636. Backing off for 600 seconds.
Mon Jul 19 15:51:50 2010: DEBUG: AuthBy LDAP2 result: IGNORE, User
database access error
---From ref.pdf---
For AuthBy LDAP2, you also need to specify some additional parameters
describing
the location of certificate and private key files.
# LDAP2: Enable SSL and tell it where to find certificates
UseSSL
# Name of the client certificate file:
SSLCAClientCert /path/to/client/certificate.pem
# Name of the file containing the client private key
SSLCAClientKey /path/to/client/keyfile.pem
# only need to set one of the following
#SSLCAPath /path/to/CA/cert/dir
SSLCAFile /path/to/file/containing/certificate/of/CA.pem
Hint: You only need to set one of SSLCAFile or SSLCAPath, not both.
Hint: All LDAP2 certificates are required to be in PEM format.
Hint: If both UseSSL and UseTLS are specified, SSL will be used.
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Monday, July 19, 2010 4:00 PM
To: Mark Bassett
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] LDAPS Certificate questions with AuthBy LDAP2
Hello Mark -
See sections 5.36.3 and 5.36.4 in the Radiator 4.6 reference manual
("doc/ref.pdf").
regards
Hugh
On 20 Jul 2010, at 08:42, Mark Bassett wrote:
> My question is in regards to the SSLCAClientCert and SSLCAClientKey
parameters. What certificate files is it looking for? I have the CA
cert in /etc/openldap/cacerts.
>
> Do I just need to generate a local certificate for the radiator server
to use and provide it's pem and key files?
>
> It's currently working now with SSLVerify none, but I would like to
require verification.
>
> <AuthBy LDAP2>
> Identifier CheckAD
> Host blablablaa
>
> #SSLeayTrace 4
> #Debug 255
> Version 3
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standfard LDAP, so you may want to use:
> Port 636
> UseSSL
> SSLVerify none
> SSLCAPath /etc/openldap/cacerts
> AuthDN CN=BlaBlaBla,DC=com
> # AuthPassword yourADadminpasswordhere
> AuthPassword BLAHBLAH
> BaseDN dc=blah,dc=com
> ServerChecksPassword
> UsernameAttr sAMAccountName
> #PasswordAttr userPassword
> #AuthAttrDef logonHours,MS-Login-Hours,check
> </AuthBy>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list