[RADIATOR] ldap with certificate authentocation

Heikki Vatiainen hvn at open.com.au
Tue May 17 13:48:49 UTC 2022


On 16.5.2022 15.29, Alfred Reibenschuh wrote:

> i have the following setup
> 
> <Handler Suffix = @realm, NAS-Identifier = sshd, NAS-Port-Type = 
> Virtual, Service-Type = Authenticate-Only>
>          <AuthBy LDAP2>
>              Identifier      PROXY_realm
>              Host realm.example.com
>              Port            636

    # Tells Radiator to do direct LDAPS
    # connection to port 636
    UseSSL

    # Client certificate and private key to use
    SSLCAClientCert ...
    SSLCAClientKey ...

    # When the key is protected
    SSLCAClientKeyPassword ...

>              BaseDN         OU=realm,DC=example,DC=com
>              SearchFilter    (cn=%1)
>              ServerChecksPassword
>              Version         3
>          </AuthBy>
> </Handler>
> 
> now security requires a client certificate (which i have) to 
> authenticate the ldap connection
> 
 > how would i configure the certificate for authenticating the ldap
 > connection ?

See the following in
https://files.radiatorsoftware.com/radiator/ref.pdf

3.9.21. SSLCAClientCert
3.9.22. SSLCAClientKey
3.9.23. SSLCAClientKeyPassword (starting with Radiator 4.24)

These 3 parameters set the client certificate. For an example, see 
3.9.8. UseSSL.

Starting with Radiator 4.24 you can also

3.9.24. SSLExpectedServerName

SSLExpectedServerName is a fairly recent parameter, added in Radiator 
4.24, that allows, for example, to set Host parameter to an IP address 
and set the name that server certificate is required to have. Without 
this parameter the name must match Host value.

When setting up the configuration, you can enable TLS debugging to see 
how LDAP library's TLS handshake proceeds. For the details, see this 
parameter:

3.9.11. DebugTLS

Note that this logging happens outside of Radiator's logging so you need 
to use the methods described in the reference manual to see the log 
messages that are written to STDERR.


Please let us know how it goes.

Thanks,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software


More information about the radiator mailing list