Check certificate revocation when using LDAP/TLS

[Alan DeKok]

On Mar 8, 2023, at 8:30 AM, Benjamin Bouilhac <bouilhac.benjamin at outlook.fr> wrote:
> My FreeRADIUS is talking to an LDAP directory (OpenLDAP) over TLS and I need to check the revocation status of the LDAP server's certificate using a CRL.

  That is really a property of the libldap library and its APIs.  That library handles all of the TLS magic for the LDAP protocol.

  The FreeRADIUS "tls" configuration just maps the configuration items to libldap API parameters.

> I tried adding check_crl in the tls section (of the LDAP module) but to no avail (see debug output below : check_crl is ignored when parsing the configuration) :

  Yes.  If it's not documented as working, it doesn't work.

  A little google-fu shows this:

https://stackoverflow.com/questions/44409029/openldap-enabling-crl-check-for-ldap-tls-connections

  So it is possible to do, it just requires more code in rlm_ldap.  Patches are always welcome...

> I know checking the revocation status of EAP client's certificate is well supported (in mods-available/eap) but I was wondering whether checking the revocation status of "backend" servers' certificates was as well and if so what I did wrong.

  You did nothing wrong.  It's not just implemented.

  For EAP and RADIUS/TLS, FreeRADIUS implements EAP, RADIUS. and the interaction with TLS.  For LDAP, we just hand everything off to OpenLDAP, and it does the work.

  So if we implement some TLS checks for EAP, they pretty much work for free in RADIUS/TLS.  And we can't leverage that work for libldap, because the APIs are completely different.

  Alan DeKok.