[RADIATOR] LDAPS Certificate questions with AuthBy LDAP2

Hugh Irvine hugh at open.com.au
Tue Jul 20 01:34:04 CDT 2010 

Hello Mark -

Certificates can be generated in pairs - a client side certificate and a matching server certificate.

The server certificate is used on the server and the client certificate is used on the client.

See the README file in the "certificates" sub-directory of the Radiator source distribution.

There are sample certificates included in the "certificates" directory that you can use for testing.

regards

Hugh


On 20 Jul 2010, at 09:08, Mark Bassett wrote:

> I'm already looking at that section, but it doesn't say what the cert
> should be.  This is the only relevant section and does not answer my
> question. 
> 
> What is the SSLCAClientCert?  Is it supposed to be the same certificate
> as what is on the ldap server?  I have tried creating a self signed cert
> and placing it in the config, but the connection always errors with no
> detail other than
> 
> Mon Jul 19 15:51:50 2010: DEBUG: Handling with Radius::AuthLDAP2:
> CheckAD
> Mon Jul 19 15:51:50 2010: INFO: Connecting to blablabla.com:636
> Mon Jul 19 15:51:50 2010: ERR: Could not open LDAP connection to
> blablabla.com:636. Backing off for 600 seconds.
> Mon Jul 19 15:51:50 2010: DEBUG: AuthBy LDAP2 result: IGNORE, User
> database access error 
> 
> 
> 
> 
> ---From ref.pdf---
> 
> For AuthBy LDAP2, you also need to specify some additional parameters
> describing
> the location of certificate and private key files.
> # LDAP2: Enable SSL and tell it where to find certificates
> UseSSL
> # Name of the client certificate file:
> SSLCAClientCert /path/to/client/certificate.pem
> # Name of the file containing the client private key
> SSLCAClientKey /path/to/client/keyfile.pem
> # only need to set one of the following
> #SSLCAPath /path/to/CA/cert/dir
> SSLCAFile /path/to/file/containing/certificate/of/CA.pem
> Hint: You only need to set one of SSLCAFile or SSLCAPath, not both.
> Hint: All LDAP2 certificates are required to be in PEM format.
> Hint: If both UseSSL and UseTLS are specified, SSL will be used.
> 
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au] 
> Sent: Monday, July 19, 2010 4:00 PM
> To: Mark Bassett
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] LDAPS Certificate questions with AuthBy LDAP2
> 
> 
> Hello Mark -
> 
> See sections 5.36.3 and 5.36.4 in the Radiator 4.6 reference manual
> ("doc/ref.pdf").
> 
> regards
> 
> Hugh
> 
> 
> On 20 Jul 2010, at 08:42, Mark Bassett wrote:
> 
>> My question is in regards to the SSLCAClientCert and SSLCAClientKey
> parameters.  What certificate files is it looking for?  I have the CA
> cert in /etc/openldap/cacerts. 
>> 
>> Do I just need to generate a local certificate for the radiator server
> to use and provide it's pem and key files?
>> 
>> It's currently working now with SSLVerify none, but I would like to
> require verification.
>> 
>> <AuthBy LDAP2>
>>        Identifier CheckAD
>>        Host     blablablaa
>> 
>>        #SSLeayTrace 4
>>        #Debug 255
>>        Version 3
>>        # Microsoft AD also listens on port 3268, and
>>        # requests received on that port are reported to be
>>        # more compliant with standfard LDAP, so you may want to use:
>>        Port 636
>>        UseSSL
>>        SSLVerify none
>>        SSLCAPath /etc/openldap/cacerts
>>        AuthDN CN=BlaBlaBla,DC=com
>>        # AuthPassword    yourADadminpasswordhere
>>        AuthPassword    BLAHBLAH
>>        BaseDN  dc=blah,dc=com
>>        ServerChecksPassword
>>        UsernameAttr sAMAccountName
>>        #PasswordAttr userPassword
>>        #AuthAttrDef logonHours,MS-Login-Hours,check
>> </AuthBy>
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list