On 04/10/2013 12:03 AM, pramod kulkarni wrote:
Thanks John for the reply. can I use EAP-TLS method of authentication with LDAP as backend datastore to check usernames and passwords. It would be like I bind to RADIUS server with EAP-TLS method using certificate and check usernames and passwords from LDAP server if yes on EAP-TLS can you please tell me how to configure EAP-TLS with LDAP as backend datastore.
This is a nonsensical question, EAP-TLS uses certificates. You do not yet understand some of the basics. You need to invest some time in learning the what the authentication mechanisms are and how they operate, this is a good starting place. http://deployingradius.com/documents/protocols/
Basically I want to avoid harcoded usernames and passwords in raddb of RADIUS server for authenticating users which I am doing currently .
What the configuration block in modules/ldap is setting up is how the radius server can communicate with the LDAP server in a peer-to-peer relationship. The LDAP server has to know who the radius server is and if it has permission to access other users passwords and password hashes. Therefore radiusd must authenticate to LDAP. This process is completely *independent* of any of the authentication protocols, it's merely establishing if radius can view certain data. The way rlm_ldap is currently coded only simple binds (i.e. password based) are supported, therefore you must store a password in raddb. You are correct this is a security issue, however only root and the radius process should be able to read the file. On our systems we make sure the permissions and identities the processes run under assure this, if you've installed via some other mechanism it behooves you to assure the radius user and group are properly configured as well as the file permissions on the config files. Any by the way no I won't tell you how to do this, it's system admin 101. I'm pretty sure the defaults assure this as well, but I haven't verified. There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra "Patches Welcome" applies. Oh, and by the way just in case you're confused as to the TLS parameters in the ldap config, they have nothing to do with binding (i.e. authenticating radiusd to LDAP), their purpose is to establish a secure tunnel between radiusd and LDAP. You can request the tunnel only be established if certificate based authentication succeeds but a simple bind will still be performed inside the tunnel. HTH, John -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/