I'm trying to configure a LDAP authentication to a server, and I have the following guidance -
Binds are only permitted via certificate based authentication (i.e. setting up a service account for you in our Whitepages LDAP store which will allow you to connect to it via a client certificate). (note: this example utilizes ForgeRock’s OpenDJ ldapsearch tool, but any ldap query tool that supports certificates can be used in its place): ldapsearch -h whitepages.xxxx.xxx -p 636 --baseDN ou=people,dc=xxxx --useSSL --useSASLExternal --certNickName <Insert Cert Nickname Here> # nickname of your certificate inside the keystore.jks --keyStorePath /path/to/keystore.jks # java key store containing your certificate --keyStorePasswordFile keystore.pin # plain text file containing the password to keystore.jks --trustStorePath /path/to/truststore.jks # java key store file containing Whitepages public certificate --trustStorePasswordFile truststore.pin # plain text file containing the password to truststore.jks uid=service.account.name,ou=people, etc However... the goodies file "ldap-sasl.cfg" states # When UseSASL is enabled, AuthBy LDAP 2 will send the SASLUser and # SASLPassword to the LDAP server when it does an LDAP bind prior to # searching for the Radius user to authenticate. And in the manual, "Optionally you can authenticate Radiator as a valid user of the LDAP server by specifying AuthDN and AuthPassword." and "If SASL authentication is specified, the LDAP server uses SASL to authenticate the SASL user credentials specified by SASLUser and SASLPassword. You must configure your LDAP server to enable SASL authentication, and to map SASL user names to LDAP server administrator names." I need to bind, but won't be sending an AuthPassword or SASLPassword. Someone looked to be trying the same thing, I think, but it was never clearly resolved here, https://lists.open.com.au/pipermail/radiator/2013-April/019109.html where they asked "I would like to check a user in LDAP server using SASL bind with admin certificate basically a external bind mechanism." Maybe I'm too worried about this, not knowing much about LDAP - should setting "UseSSL" options just take care of this? I can't really test much because I have no control over the server, which is operated by another distant group, and we've never had an LDAP server here. Thanks -- Jonathan Klay IT Specialist PMEL CNSD 206 526-6766
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
