Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

John Dennis jdennis at redhat.com
Tue Apr 9 14:11:29 CEST 2013

On 04/09/2013 03:44 AM, pramod kulkarni wrote:
> Hi,
> I am working on RADIUS with LDAP as backend for authenticating users.
> I configured rlm_ldap on RADIUS server with username and plaintext
> password and I am able to authenticate RADIUS client using LDAP.

There is a difference between using LDAP as a backend datastore (lookup 
passwords and password hashes after binding as a service) and using LDAP 
as a authentication oracle (binding as the user to determine if the user 
is authenticated depending on the bind result). From above it sounds 
like you've configured LDAP as a backend datastore.

> But I want to configure RADIUS server with certificates instead of using
> usernames and passwords.
> Please guide me how to achieve this,is there any help/doc how to
> configure LDAP SASL bind for RADIUS Server.
> Waiting for your inputs.
> Thanks and Regards,

You can't with the current rlm_ldap module bind to the LDAP server with 
anything other than a (username, password) pair, either for lookups or 
for authentication testing (only ldap_connect and ldap_simple_bind are 

However, rlm_ldap does support SSL/TLS connections to the LDAP server 
and you can specify that you want the LDAP server to request a client 
cert when establishing the connection. But ultimately you're still doing 
a simple bind albeit in a secure tunnel. If you specify you want the 
LDAP server to require a client cert then you effectively have two 
simultaneous authtication mechanisms in play (TLS for the tunnel and 
simple auth inside the tunnel). Setting up TLS auth is straight forward 
(see the options in raddb/modules/ldap) *except* for the fact the ldap 
library routines to set the require cert option are buggy (rlm_ldap uses 
the wrong entry point which may not be supported and the openldap 
library also has bugs, I think we've now got all these fixed and patches 
sent upstream to openldap, but you should be aware there is an 
reasonable chance it won't work on your distribution unless you've got 
patched libraries).

Even if SASL binds were supported you wouldn't want to use SASL binds 
for user authentication (if that was what you were asking, it's not 
clear from your original post). For user authentication based on 
certificates you would use EAP-TLS.

A long time ago I had a patch for using SASL binds, but it was against 
the old 1.1.7 version of rlm_ldap and it only supported GSSAPI.



John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list