[RADIATOR] LDAP-SASL bind with certificate

Jonathan Klay - NOAA Federal jonathan.klay at noaa.gov
Fri May 3 16:38:40 UTC 2019

I'm trying to configure a LDAP authentication to a server, and I have the
following guidance -

Binds are only permitted via certificate based authentication (i.e. setting
up a service account for you in our Whitepages LDAP store which will allow
you to connect to it via a client certificate).  (note: this example
utilizes ForgeRock’s OpenDJ ldapsearch tool, but any ldap query tool that
supports certificates can be used in its place):
ldapsearch -h whitepages.xxxx.xxx -p 636
--baseDN ou=people,dc=xxxx
--certNickName <Insert Cert Nickname Here> # nickname of your certificate
inside the keystore.jks
--keyStorePath /path/to/keystore.jks # java key store containing your
--keyStorePasswordFile keystore.pin # plain text file containing the
password to keystore.jks
--trustStorePath /path/to/truststore.jks # java key store file containing
Whitepages public certificate
--trustStorePasswordFile truststore.pin # plain text file containing the
password to truststore.jks
uid=service.account.name,ou=people, etc

However... the goodies file "ldap-sasl.cfg" states
# When UseSASL is enabled, AuthBy LDAP 2 will send the SASLUser and
# SASLPassword to the LDAP server when it does an LDAP bind prior to
# searching for the Radius user to authenticate.

And in the manual, "Optionally you can authenticate Radiator as a valid
user of the LDAP server by specifying AuthDN and AuthPassword."  and "If
SASL authentication is specified, the LDAP server uses SASL to authenticate
the SASL user credentials specified by SASLUser and SASLPassword. You must
configure your LDAP server to enable SASL authentication, and to map SASL
user names to LDAP server administrator names."

I need to bind, but won't be sending an AuthPassword or SASLPassword.
Someone looked to be trying the same thing, I think, but it was never
clearly resolved here,
https://lists.open.com.au/pipermail/radiator/2013-April/019109.html where
they asked "I would like to check a user in LDAP server using SASL bind
with admin certificate basically a external bind mechanism."

Maybe I'm too worried about this, not knowing much about LDAP - should
setting "UseSSL" options just take care of this?  I can't really test much
because I have no control over the server, which is operated by another
distant group, and we've never had an LDAP server here.

Jonathan Klay
IT Specialist
PMEL CNSD 206 526-6766
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190503/9b828be8/attachment.html>

More information about the radiator mailing list