Freeradius and OpenLDAP certificates

Stefan Kania stefan at kania-online.de
Tue Oct 3 14:34:36 UTC 2023 


Am 03.10.23 um 16:12 schrieb Alan DeKok:
> On Oct 3, 2023, at 10:05 AM, Stefan Kania <stefan at kania-online.de> wrote:
>> I got Freeradius running with ldap-connection and Kerberos-authentication for searching the LDAP-tree.
> 
>    That's good.
> 
>> Authentication with radtest and a LDAP-user is working:
> 
>    That's good, but for future reference, you can't debug the server by looking at the client pass/fail output.  There's a lot more going on.
> 
>> Starting with OpenLDAP 2.5 you can create and manage user and host certificats with the overlay "autoca". You can copy your own CA and the key into OpenLDAP and then let OpenLDAP create the certificate and the key for users and hosts. The certificate will be stored in the attribute userCertificate;binary and userPrivateKey;binary the certificate is in DER-format. I now would like to use the certificates from OpenLDAP for authentication.
>>
>> How can I use certificates located in OpenLDAP for user- and host- authentication?
> 
>    FreeRADIUS only needs the CA cert.  It doesn't need access to LDAP for all of the client certs.
> 
>    So put the CA cert into the FreeRADIUS configuration, and everything should just work.

That's what I did. I put the ca-certificat and the key into the 
subdirectory certs/ that is working :-). But now I wold like to use 
client certificates instead of username+password. So both, the server 
certificate and the client-certificate are from the same CA. So the 
client sends it's certificate to the radius-server and the server checks 
wther the certifcate belongs to the client or not and checks that the 
certificate is valide with the root-certificate of my ca. Is this right?

But what I'm looking for ist how to configure freeradius to only use 
certificates and not username+password. Or did I understood this txpe of 
authentication totally wrong :-(

Stefan
> 
>    Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20231003/6cd97c2e/attachment.bin>

More information about the Freeradius-Users mailing list