subcon wrote:
Imagine I want to store x509 certificate data (specifically a client certificate) in an attribute in LDAP (perhaps as a binary attribute, etc).
That's outside of the scope of FreeRADIUS.
I would like FreeRADIUS, should it be passed a client certificate INSTEAD of a user/pass, to take the DN of the cert and match it to some attribute which contains said DN and cert-data.
That's possible. See raddb/sites-available/default in recent releases. Look for the "TLS-*" comments in the post-auth section.
The ultimate goal of all of this is to allow the continued use of LDAP and store the certificates (to be compared against) in the tree and not on some filesystem basis.
That's thinking about it wrong. You don't "compare" certificates. You verify certificates against a CA. You check certificates against a revocation list.
Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but only as a secondary fall-back (e.g: customer doesn't have client cert installed on machine, but has a user and password).
For what kind of system? Wireless, or wired?
Is this possible? Does this make sense to you? Let me know if I need to re-explain anything.
You need to correct your thinking and your vocabulary. Certificates don't work the way you seem to think. Alan DeKok.