freeRADIUS + Openldap with TLS
Hi, I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.) My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like "private_key_password" in eap.conf . Thanks. John --------------------------------- 雅虎邮箱,终生伙伴!
You already have. eap.conf is a part of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 29/10/2007, "Hangjun He" <elmerhe@yahoo.com.cn> piše:
Hi,
I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.)
My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like "private_key_password" in eap.conf .
Thanks. John
--------------------------------- ŃĹť˘ÓĘĎ䣏ÖŐÉúťď°éŁĄ
Hi, Yes. eap.conf is part of radiusd.conf. But I can not find a variable to set key-file-password in rlm_ldap section. # Lightweight Directory Access Protocol (LDAP) ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" tnt@kalik.co.yu ��� You already have. eap.conf is a part of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 29/10/2007, "Hangjun He" pi�e:
Hi,
I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.)
My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like "private_key_password" in eap.conf .
Thanks. John
--------------------------------- �Ż����䣬������飡
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- �Ż����䣬������飡
Yes. eap.conf is part of radiusd.conf. But I can not find a variable to set key-file-password in rlm_ldap section. # Lightweight Directory Access Protocol (LDAP) ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" So use openssl to remove the password from the key and put the key in a secure directory. The key itself should have 400 permissions and be owned by the ldap user. What's the problem? Regards, Frank Ranner
Thanks. So key-file-password do not set in radiusd.conf/rlm_ldap section. I still donot know how to configure key-password in Openldap, Where I can get any document or Wiki ? Thanks. John. "Ranner, Frank MR" <Frank.Ranner@defence.gov.au> 写道: Yes. eap.conf is part of radiusd.conf. But I can not find a variable to set key-file-password in rlm_ldap section. # Lightweight Directory Access Protocol (LDAP) ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" So use openssl to remove the password from the key and put the key in a secure directory. The key itself should have 400 permissions and be owned by the ldap user. What's the problem? Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- 雅虎邮箱,终生伙伴!
Hangjun He wrote:
I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.)
My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like "private_key_password" in eap.conf .
No. As always, patches are welcome. Alan DeKok.
I seems it need LDAP lib support. Alan DeKok <aland@deployingradius.com> 写道: Hangjun He wrote:
I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.)
My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like "private_key_password" in eap.conf .
No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- @yahoo.cn 新域名、无限量,快来抢注!
participants (4)
-
Alan DeKok -
Hangjun He -
Ranner, Frank MR -
tnt@kalik.co.yu