Using LDAPS with Freeradius
Hi Everyone I am attempting to setup LDAPS on our Freeradius server on Ubuntu that is querying an Active Directory server for users group memberships, and hoping for a few guidelines on the correct setup procedure. So far I have exported the self signed PEM SSL cert form the AD server and imported it into /etc/freeradius/certs. In /etc/freeradius/mods-enabled/ldap, I also specified the Port = 636 and under the TLS section, pointed the ca_file = ${certdir}/ to the certificate, enabled ca_path = ${certdir} and set require_cert = 'allow'. The radius authentication's are working but would like to confirm if this is the best way to go about enabling LDAPS. - Kind Regards - Byron Jeffery - Assisting ICT Manager
That is the only way it works. And if it's working and you should see an established tcp connection to the ldap server on port 636. If it wasn't encrypted it would be on port 389. So it's encrypted. On Tue, 21 Jan 2020, 18:25 Byron Jeffery, <byronjeffery@cem.org.au> wrote:
Hi Everyone
I am attempting to setup LDAPS on our Freeradius server on Ubuntu that is querying an Active Directory server for users group memberships, and hoping for a few guidelines on the correct setup procedure.
So far I have exported the self signed PEM SSL cert form the AD server and imported it into /etc/freeradius/certs. In /etc/freeradius/mods-enabled/ldap, I also specified the Port = 636 and under the TLS section, pointed the ca_file = ${certdir}/ to the certificate, enabled ca_path = ${certdir} and set require_cert = 'allow'.
The radius authentication's are working but would like to confirm if this is the best way to go about enabling LDAPS.
- Kind Regards
- Byron Jeffery - Assisting ICT Manager - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 21 Jan 2020, at 02:31, Peter Lambrechtsen <peter@crypt.nz> wrote:
That is the only way it works. And if it's working and you should see an established tcp connection to the ldap server on port 636. If it wasn't encrypted it would be on port 389. So it's encrypted.
Just to add, the correct way of enabling LDAPS for the ldap module is to add the ldaps:// URI prefix to the server config item. Just setting port 636 will result in the LDAP module failing to connect to the LDAP server. You also do not need to specify the port explicitly if running on the default port, it's set automatically by the rlm_ldap code. https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thanks for the add Arran So something like this in the ldap module config: server = "ldaps://serverurl" - Also to clarify, is it necessary to specify the ca_file path and set require_cert = 'allow' for self sign certificates if doing LDAPS? - - Kind Regards - Byron Jeffery - Assisting ICT Manager On Wed, 22 Jan 2020 at 11:28, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 21 Jan 2020, at 02:31, Peter Lambrechtsen <peter@crypt.nz> wrote:
That is the only way it works. And if it's working and you should see an established tcp connection to the ldap server on port 636. If it wasn't encrypted it would be on port 389. So it's encrypted.
Just to add, the correct way of enabling LDAPS for the ldap module is to add the ldaps:// URI prefix to the server config item. Just setting port 636 will result in the LDAP module failing to connect to the LDAP server.
You also do not need to specify the port explicitly if running on the default port, it's set automatically by the rlm_ldap code.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/modules/rlm_...
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 21, 2020, at 9:14 PM, Byron Jeffery <byronjeffery@cem.org.au> wrote:
Thanks for the add Arran
So something like this in the ldap module config:
server = "ldaps://serverurl"
Yes.
- Also to clarify, is it necessary to specify the ca_file path and set require_cert = 'allow' for self sign certificates if doing LDAPS?
Sure if you want to allow MITM attacks. Otherwise you need some kind of trust anchor. For self-signed, i'd say you provide a copy of the certificate in ca_file, and set require_cert to 'hard'. Not 100% though, never configured it... -Arran
participants (3)
-
Arran Cudbard-Bell -
Byron Jeffery -
Peter Lambrechtsen