Hello Mark - Certificates can be generated in pairs - a client side certificate and a matching server certificate.
The server certificate is used on the server and the client certificate is used on the client. See the README file in the "certificates" sub-directory of the Radiator source distribution. There are sample certificates included in the "certificates" directory that you can use for testing. regards Hugh On 20 Jul 2010, at 09:08, Mark Bassett wrote: > I'm already looking at that section, but it doesn't say what the cert > should be. This is the only relevant section and does not answer my > question. > > What is the SSLCAClientCert? Is it supposed to be the same certificate > as what is on the ldap server? I have tried creating a self signed cert > and placing it in the config, but the connection always errors with no > detail other than > > Mon Jul 19 15:51:50 2010: DEBUG: Handling with Radius::AuthLDAP2: > CheckAD > Mon Jul 19 15:51:50 2010: INFO: Connecting to blablabla.com:636 > Mon Jul 19 15:51:50 2010: ERR: Could not open LDAP connection to > blablabla.com:636. Backing off for 600 seconds. > Mon Jul 19 15:51:50 2010: DEBUG: AuthBy LDAP2 result: IGNORE, User > database access error > > > > > ---From ref.pdf--- > > For AuthBy LDAP2, you also need to specify some additional parameters > describing > the location of certificate and private key files. > # LDAP2: Enable SSL and tell it where to find certificates > UseSSL > # Name of the client certificate file: > SSLCAClientCert /path/to/client/certificate.pem > # Name of the file containing the client private key > SSLCAClientKey /path/to/client/keyfile.pem > # only need to set one of the following > #SSLCAPath /path/to/CA/cert/dir > SSLCAFile /path/to/file/containing/certificate/of/CA.pem > Hint: You only need to set one of SSLCAFile or SSLCAPath, not both. > Hint: All LDAP2 certificates are required to be in PEM format. > Hint: If both UseSSL and UseTLS are specified, SSL will be used. > > -----Original Message----- > From: Hugh Irvine [mailto:h...@open.com.au] > Sent: Monday, July 19, 2010 4:00 PM > To: Mark Bassett > Cc: radiator@open.com.au > Subject: Re: [RADIATOR] LDAPS Certificate questions with AuthBy LDAP2 > > > Hello Mark - > > See sections 5.36.3 and 5.36.4 in the Radiator 4.6 reference manual > ("doc/ref.pdf"). > > regards > > Hugh > > > On 20 Jul 2010, at 08:42, Mark Bassett wrote: > >> My question is in regards to the SSLCAClientCert and SSLCAClientKey > parameters. What certificate files is it looking for? I have the CA > cert in /etc/openldap/cacerts. >> >> Do I just need to generate a local certificate for the radiator server > to use and provide it's pem and key files? >> >> It's currently working now with SSLVerify none, but I would like to > require verification. >> >> <AuthBy LDAP2> >> Identifier CheckAD >> Host blablablaa >> >> #SSLeayTrace 4 >> #Debug 255 >> Version 3 >> # Microsoft AD also listens on port 3268, and >> # requests received on that port are reported to be >> # more compliant with standfard LDAP, so you may want to use: >> Port 636 >> UseSSL >> SSLVerify none >> SSLCAPath /etc/openldap/cacerts >> AuthDN CN=BlaBlaBla,DC=com >> # AuthPassword yourADadminpasswordhere >> AuthPassword BLAHBLAH >> BaseDN dc=blah,dc=com >> ServerChecksPassword >> UsernameAttr sAMAccountName >> #PasswordAttr userPassword >> #AuthAttrDef logonHours,MS-Login-Hours,check >> </AuthBy> >> >> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > > > NB: > > Have you read the reference manual ("doc/ref.html")? > Have you searched the mailing list archive > (www.open.com.au/archives/radiator)? > Have you had a quick look on Google (www.google.com)? > Have you included a copy of your configuration file (no secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows, MacOS X. > Includes support for reliable RADIUS transport (RadSec), > and DIAMETER translation agent. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > - > CATool: Private Certificate Authority for Unix and Unix-like systems. > > > NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
