Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
jdennis at redhat.com
Wed Apr 10 16:52:21 CEST 2013
On 04/10/2013 12:03 AM, pramod kulkarni wrote:
> Thanks John for the reply.
> can I use EAP-TLS method of authentication with LDAP as backend
> datastore to check usernames and passwords.
> It would be like I bind to RADIUS server with EAP-TLS method using
> certificate and check usernames and passwords from LDAP server
> if yes on EAP-TLS can you please tell me how to configure EAP-TLS
> with LDAP as backend datastore.
This is a nonsensical question, EAP-TLS uses certificates. You do not
yet understand some of the basics. You need to invest some time in
learning the what the authentication mechanisms are and how they
operate, this is a good starting place.
> Basically I want to avoid harcoded usernames and passwords in raddb
> of RADIUS server for authenticating users which I am doing currently .
What the configuration block in modules/ldap is setting up is how the
radius server can communicate with the LDAP server in a peer-to-peer
relationship. The LDAP server has to know who the radius server is and
if it has permission to access other users passwords and password
hashes. Therefore radiusd must authenticate to LDAP. This process is
completely *independent* of any of the authentication protocols, it's
merely establishing if radius can view certain data.
The way rlm_ldap is currently coded only simple binds (i.e. password
based) are supported, therefore you must store a password in raddb. You
are correct this is a security issue, however only root and the radius
process should be able to read the file. On our systems we make sure the
permissions and identities the processes run under assure this, if
you've installed via some other mechanism it behooves you to assure the
radius user and group are properly configured as well as the file
permissions on the config files. Any by the way no I won't tell you how
to do this, it's system admin 101. I'm pretty sure the defaults assure
this as well, but I haven't verified.
There are other ways to establish the trust between radiusd and LDAP
beside simple binds which do not involve passwords. All of these use
SASL in some form. Unfortunately rlm_ldap does not support them. I know
Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't
know if SASL support was added or not. In any event this is an open
source project and if you want this functionality then the usual mantra
"Patches Welcome" applies.
Oh, and by the way just in case you're confused as to the TLS parameters
in the ldap config, they have nothing to do with binding (i.e.
authenticating radiusd to LDAP), their purpose is to establish a secure
tunnel between radiusd and LDAP. You can request the tunnel only be
established if certificate based authentication succeeds but a simple
bind will still be performed inside the tunnel.
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users