Secure FreeRADIUS & LDAP
Hi All, I used to use FreeRADIUS *years* back (iirc pre v1) on Linux and it worked rather well :) Not touched it since, however have just started a new contract and there is a requirement to use a RADIUS server to connect to our LDAP box (Red Hat Dir Server) to in turn authenticate some users/equipment that can't auth directly, but due to the nature of the environment, all datastores and comms have to be secured/encrypted. As the host will be RHEL5, FreeRADIUS would seem the ideal candidate (comes with it, although a rather ancient 1.1.3 version by default, can upgrade if needed), however before I start installing and testing, wondered whether it will satisfy the secure part of the requirements. So... My questions... # Can freeradius talk to the ldap box using TLS/SSL (ldaps) # Can freeradius read hashed credentials from the LDAP store and then actually use them??? # There may be a requirement to use certificates for auth, can the ldap/freeradius module handle certs??? Am sure there will be other issues/questions but until then. TIA Dan -- -- Dan Hawker danhawker@googlemail.com --
# Can freeradius talk to the ldap box using TLS/SSL (ldaps)
Yes. See tls section in ldap module.
# Can freeradius read hashed credentials from the LDAP store and then actually use them???
Yes. You will have to enable auto-headers in pap module if you are storing them with headers in userPassword.
# There may be a requirement to use certificates for auth, can the ldap/freeradius module handle certs???
Yes. Ivan Kalik Kalik Informatika ISP
Cool, thanks for the info Ivan. Will give it a go and report back Thanks again Dan 2009/2/20 <tnt@kalik.net>:
# Can freeradius talk to the ldap box using TLS/SSL (ldaps)
Yes. See tls section in ldap module.
# Can freeradius read hashed credentials from the LDAP store and then actually use them???
Yes. You will have to enable auto-headers in pap module if you are storing them with headers in userPassword.
# There may be a requirement to use certificates for auth, can the ldap/freeradius module handle certs???
Yes.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Dan Hawker danhawker@googlemail.com 07773 348975 --
Dan Hawker wrote:
Hi All,
I used to use FreeRADIUS *years* back (iirc pre v1) on Linux and it worked rather well :)
Not touched it since, however have just started a new contract and there is a requirement to use a RADIUS server to connect to our LDAP box (Red Hat Dir Server) to in turn authenticate some users/equipment that can't auth directly, but due to the nature of the environment, all datastores and comms have to be secured/encrypted.
As the host will be RHEL5, FreeRADIUS would seem the ideal candidate (comes with it, although a rather ancient 1.1.3 version by default, can upgrade if needed), however before I start installing and testing, wondered whether it will satisfy the secure part of the requirements.
Yes, the FreeRADIUS version on RHEL5 is quite old, we're working to get a current version into the next RHEL update, until such time you can build and install the latest (2.1.3) by following instructions here: http://wiki.freeradius.org/Red_Hat_FAQ
So... My questions... # Can freeradius talk to the ldap box using TLS/SSL (ldaps)
yes
# Can freeradius read hashed credentials from the LDAP store and then actually use them???
yes
# There may be a requirement to use certificates for auth, can the ldap/freeradius module handle certs???
yes
Am sure there will be other issues/questions but until then.
TIA
Dan
-- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (3)
-
Dan Hawker -
John Dennis -
tnt@kalik.net