Freeradius and OpenLDAP certificates

Alan DeKok aland at deployingradius.com
Tue Oct 3 14:12:25 UTC 2023


On Oct 3, 2023, at 10:05 AM, Stefan Kania <stefan at kania-online.de> wrote:
> I got Freeradius running with ldap-connection and Kerberos-authentication for searching the LDAP-tree.

  That's good.

> Authentication with radtest and a LDAP-user is working:

  That's good, but for future reference, you can't debug the server by looking at the client pass/fail output.  There's a lot more going on.

> Starting with OpenLDAP 2.5 you can create and manage user and host certificats with the overlay "autoca". You can copy your own CA and the key into OpenLDAP and then let OpenLDAP create the certificate and the key for users and hosts. The certificate will be stored in the attribute userCertificate;binary and userPrivateKey;binary the certificate is in DER-format. I now would like to use the certificates from OpenLDAP for authentication.
> 
> How can I use certificates located in OpenLDAP for user- and host- authentication?

  FreeRADIUS only needs the CA cert.  It doesn't need access to LDAP for all of the client certs.

  So put the CA cert into the FreeRADIUS configuration, and everything should just work.

  Alan DeKok.



More information about the Freeradius-Users mailing list