Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
jdennis at redhat.com
Tue Apr 9 14:11:29 CEST 2013
On 04/09/2013 03:44 AM, pramod kulkarni wrote:
> I am working on RADIUS with LDAP as backend for authenticating users.
> I configured rlm_ldap on RADIUS server with username and plaintext
> password and I am able to authenticate RADIUS client using LDAP.
There is a difference between using LDAP as a backend datastore (lookup
passwords and password hashes after binding as a service) and using LDAP
as a authentication oracle (binding as the user to determine if the user
is authenticated depending on the bind result). From above it sounds
like you've configured LDAP as a backend datastore.
> But I want to configure RADIUS server with certificates instead of using
> usernames and passwords.
> Please guide me how to achieve this,is there any help/doc how to
> configure LDAP SASL bind for RADIUS Server.
> Waiting for your inputs.
> Thanks and Regards,
You can't with the current rlm_ldap module bind to the LDAP server with
anything other than a (username, password) pair, either for lookups or
for authentication testing (only ldap_connect and ldap_simple_bind are
However, rlm_ldap does support SSL/TLS connections to the LDAP server
and you can specify that you want the LDAP server to request a client
cert when establishing the connection. But ultimately you're still doing
a simple bind albeit in a secure tunnel. If you specify you want the
LDAP server to require a client cert then you effectively have two
simultaneous authtication mechanisms in play (TLS for the tunnel and
simple auth inside the tunnel). Setting up TLS auth is straight forward
(see the options in raddb/modules/ldap) *except* for the fact the ldap
library routines to set the require cert option are buggy (rlm_ldap uses
the wrong entry point which may not be supported and the openldap
library also has bugs, I think we've now got all these fixed and patches
sent upstream to openldap, but you should be aware there is an
reasonable chance it won't work on your distribution unless you've got
Even if SASL binds were supported you wouldn't want to use SASL binds
for user authentication (if that was what you were asking, it's not
clear from your original post). For user authentication based on
certificates you would use EAP-TLS.
A long time ago I had a patch for using SASL binds, but it was against
the old 1.1.7 version of rlm_ldap and it only supported GSSAPI.
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Devel