FreeRADIUS EAP-TLS Lookup Client Cert From LDAP DIT

[Alan DeKok]

subcon wrote:
> Imagine I want to store x509 certificate data (specifically a client
> certificate) in an attribute in LDAP (perhaps as a binary attribute, etc). 

  That's outside of the scope of FreeRADIUS.

> I would like FreeRADIUS, should it be passed a client certificate INSTEAD of
> a user/pass, to take the DN of the cert and match it to some attribute which
> contains said DN and cert-data.   

  That's possible.  See raddb/sites-available/default in recent
releases.  Look for the "TLS-*" comments in the post-auth section.

> The ultimate goal of all of this is to allow the continued use of LDAP and
> store the certificates (to be compared against) in the tree and not on some
> filesystem basis. 

  That's thinking about it wrong.  You don't "compare" certificates.
You verify certificates against a CA.  You check certificates against a
revocation list.

> Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but
> only as a secondary fall-back (e.g: customer doesn't have client cert
> installed on machine, but has a user and password).

  For what kind of system?  Wireless, or wired?

> Is this possible? Does this make sense to you? Let me know if I need to
> re-explain anything. 

  You need to correct your thinking and your vocabulary.  Certificates
don't work the way you seem to think.

  Alan DeKok.