compile with ldap support
What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything. Thanks, Chris
On 10 Apr 2013, at 21:12, Chris Taylor <Chris.Taylor@corp.eastlink.ca> wrote:
What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure –with-ldap but that didn’t seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn’t find anything.
It'll build it by default if you have the libldap headers installed. Check the output of configure to verify it's actually building rlm_ldap. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org "Fruity Oaty Bars, make a man out of a mouse. Fruity Oaty Bars, make you bust out of your blouse"
How do I check that I have them installed I have the openldap rpm installed. I am trying to go from an rpm build to a source build to fix a problem. Chris -----Original Message----- From: freeradius-users-bounces+chris.taylor=corp.eastlink.ca@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink.ca@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Wednesday, April 10, 2013 10:07 PM To: FreeRadius users mailing list Subject: Re: compile with ldap support On 10 Apr 2013, at 21:12, Chris Taylor <Chris.Taylor@corp.eastlink.ca> wrote:
What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything.
It'll build it by default if you have the libldap headers installed. Check the output of configure to verify it's actually building rlm_ldap. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org "Fruity Oaty Bars, make a man out of a mouse. Fruity Oaty Bars, make you bust out of your blouse" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chris Taylor wrote:
How do I check that I have them installed I have the openldap rpm installed.
This is really a question for your OS vendor. How about "man rpm"? Or google? And you also want the libldap development headers. Just installing the OpenLDAP server won't get those. Alan DeKok.
On 04/10/2013 10:24 PM, Alan DeKok wrote:
Chris Taylor wrote:
How do I check that I have them installed I have the openldap rpm installed.
This is really a question for your OS vendor. How about "man rpm"? Or google?
If you're working on a Fedora/RHEL/CentOS etc. type system then yum-builddep is your friend. I know you're trying to build from source and not build an RPM but if you have a srpm or spec file you can use yum-builddep to get your build dependencies installed. Or you can look at a spec file and find all the BuildRequires and install those. Think of a rpm spec file as a "recipe" for building. If you're not sure what ingredients you need then consult the recipe. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
G'day As a (hopefully) answer-able question to those experienced with EAP-TLS that I've been twisting my brain: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? (Taken from Debian's FR 2.1.12) eap.conf: tls { [...] certificate_file = "/etc/freeradius/ssl/cert.p # Trusted Root CA list CA_file = "/etc/univention/ssl/ucsCA/CAcert.pem" [...] The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a "trusted" external CA) while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). Best regards Mathieu
Mathieu Simon wrote:
Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR.
Yes.
Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client?
Yes. It contains a list of valid CAs.
The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a "trusted" external CA)
While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea.
while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department).
That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok.
Hi Am 11.04.2013 20:08, schrieb Alan DeKok:
<snip!>
The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a "trusted" external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access.
It's usually a bad idea. Correct, that for sure isn't what I'd want :-)
certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the "trusted" CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...)
<snip!>
You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT.
Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu
Mathieu Simon wrote:
Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ...
Yes. That is a problem.
But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices.
That would work.
I just hope I'm not telling complete bullshit... ;-)
Nope.
Thank you Alan for your time to answer!
It's what I do. Alan DeKok.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Chris Taylor -
John Dennis -
Mathieu Simon