[RADIATOR] ldap with certificate authentocation
Heikki Vatiainen
hvn at open.com.au
Tue May 17 13:48:49 UTC 2022
On 16.5.2022 15.29, Alfred Reibenschuh wrote:
> i have the following setup
>
> <Handler Suffix = @realm, NAS-Identifier = sshd, NAS-Port-Type =
> Virtual, Service-Type = Authenticate-Only>
> <AuthBy LDAP2>
> Identifier PROXY_realm
> Host realm.example.com
> Port 636
# Tells Radiator to do direct LDAPS
# connection to port 636
UseSSL
# Client certificate and private key to use
SSLCAClientCert ...
SSLCAClientKey ...
# When the key is protected
SSLCAClientKeyPassword ...
> BaseDN OU=realm,DC=example,DC=com
> SearchFilter (cn=%1)
> ServerChecksPassword
> Version 3
> </AuthBy>
> </Handler>
>
> now security requires a client certificate (which i have) to
> authenticate the ldap connection
>
> how would i configure the certificate for authenticating the ldap
> connection ?
See the following in
https://files.radiatorsoftware.com/radiator/ref.pdf
3.9.21. SSLCAClientCert
3.9.22. SSLCAClientKey
3.9.23. SSLCAClientKeyPassword (starting with Radiator 4.24)
These 3 parameters set the client certificate. For an example, see
3.9.8. UseSSL.
Starting with Radiator 4.24 you can also
3.9.24. SSLExpectedServerName
SSLExpectedServerName is a fairly recent parameter, added in Radiator
4.24, that allows, for example, to set Host parameter to an IP address
and set the name that server certificate is required to have. Without
this parameter the name must match Host value.
When setting up the configuration, you can enable TLS debugging to see
how LDAP library's TLS handshake proceeds. For the details, see this
parameter:
3.9.11. DebugTLS
Note that this logging happens outside of Radiator's logging so you need
to use the methods described in the reference manual to see the log
messages that are written to STDERR.
Please let us know how it goes.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list