How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

Olivier Beytrison olivier at
Fri Apr 19 11:00:26 CEST 2013

On 19.04.2013 10:35, pramod kulkarni wrote:
> Thanks for the reply.
> I am new to FreeRadius and doing analysis on how to remove The
> "identity" and "password" attributes of LDAP module in
> radiusd.config and still be able to authenticate and authorize LDAP users.

Is that really an issue for you ? set restrictive permission on the file
so that only root and freeradius can read the admin credentials for the
ldap server. And do not let people log as root. Everyone do that. It
works fine.

> Is there any other option/configuration to avoid usernames and plain
> text passwords in the module ldap of radiusd.conf for authenticating and
> authorizing users of LDAP database ?

Afaik no

> I tried EAP-TLS method but didn't get proper result,can I use LDAP as
> database for EAP-TLS method,as one of forum answers is no

That's something else. EAP-TLS is how the user authenticate to the
radius server. Not how the radius server bind to the ldap server.

BUT you could do EAP-TLS without user/password (for the user) and check
the validity of the certificate against an LDAP server that allows to
retrieve those information anonymously (removing the need to have
credentials written in the ldap module). But then it's your ldap server
who can leak informations.

>  I would like to use a certificate (admin) to bind to the LDAP database
> using FreeRadius because admin has the authority to traverse the LDAP tree.

Not supported at the moment.

>  After binding using certificate i would like to  Authenticate different
> users of LDAP using "radclient.exe -d ..\etc\raddb -f radtest.txt -x -s
> auth testing1"

This will work with radclient which do PAP. This won't work with
wireless client who does EAP.

> if as per replies only LDAP simpile bind is possible ,how to compile
> OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other
> option

If you do PAP and want to authenticate against your ldap, the only
option is simple-bind at the moment. As usual, "Patches Welcome".
As for compiling on cygwin, I can't tell you if that's supported nor

On a final note, people have been using ldap with credentials in a file
for ages. It's down to the security of the server and the filesystem
permission to ensure that only authorized users can access this file.


 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at

More information about the Freeradius-Users mailing list