synapse unsync

How to make freeradius use openldap as an authentication source.
This was tested on Centos 5.3. Freeradius and OpenLDAP were installed using the “Add/Remove Software” item on the Applications menu - no rocket science here! The article assumes that you already have a working ldap server (or see my article on Configuring OpenLDAP).

(1) In radiusd.conf edit the modules section for ldap so that it reads something like:

ldap {
server = "myhost.mydomain.com"
identity = "cn=manager,dc=mydomain,dc=com"
password = mysecret
basedn = "dc=mydomain,dc=com"
filter = "(uid=%u)"
start_tls = no
access_attr = uid
dictionary_mapping = $(raddbdir/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}

(2) Find the authorize section of radiusd.conf find the line which starts #ldap and remove the '#' so it reads just ldap

(3) Again in radiusd.conf, but in the authentication section, find the lines:

# Auth-Type LDAP {
#     ldap
#}

and remove the '#' so these lines read

Auth-Type LDAP {
     ldap
}

(4) In the /etc/raddb/users file find the section which reads

DEFAULT Auth-Type = System
     Fall-Through = 1

and replace it with

DEFAULT Auth-Type = LDAP
     Fall-Through = 1

(5) Restart the radiusd daemon /etc/init.d/radiusd restart
(6) Assuming that your /etc/raddb/clients.conf has a section that reads

clients 127.0.0.1 {
     secret = testing123
     shortname = localhost
     nastype = other
}

and also that you have an entry in your ldap directory like

dn: uid=john,ou=users,dc=mydomain,dc=com
uid: john
cn: john
givenName: john
sn: doe
mail: john@mydomain.com
mailRoutingAddress: john@mail.prod.mydomain.com
mailHost: mail.prod.mydomain.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$EwO.4wlT$n5KoIfFE8qcDcPAC12vxn2
shadowLastChange: 14360
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /home/john
gecos: john doe

and that jdoe’s password is mysecret, you can test your radius configuration by executing

radtest john mysecret 127.0.0.1 10 testing123

You should see a reply like

Sending Access-Request of id 65 to 127.0.0.1 port 1812
    User-Name = "jdoe"
    User-Password = "secret"
    NAS-IP-Address = 255.255.255.255
    NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=65, length=20

No comments »

This is a very basic configuration for freeradius to allow authentication from passwd and shadow files. It has been tested on Centos 5.3

(1) The freeradius configuraton files are usually in /etc/raddb; make a subdirectory /etc/raddb/etc
(2) copy your /etc/passwd and /etc/shadow  files to /etc/raddb/etc
(3) edit the /etc/raddb/etc/passwd and /etc/raddb/etc/shadow files to remove all entries except for those that you want to authenticate with radius
(4) edit the /etc/raddb/radiusd.conf file; find the section:


unix {
...

and set the values for the passwd and shadow files so they read:


passwd = /etc/raddb/etc/passwd
shadow = /etc/raddb/etc/shadow


(5) save radiusd.conf
(6) make sure the radiusd user can read  the files

chmod -R 644 /etc/raddb/etc

(7) check the /etc/raddb/users file to ensure that the following exists:

DEFAULT     Auth-Type = System
Fall-Through = 1

(8) Assuming you have entries in the /etc/raddb/etc/passwd and /etc/raddb/etc/shadow for a user ‘jdoe’ with password of ’secret’ you can test your radius configuration by:
(a) start the radius daemon with ‘/etc/init.d/radiusd start’; you should see some output something like:

[root@myserver raddb]# /etc/init.d/radiusd start
Starting RADIUS server: Sun May  3 13:26:37 2009 : Info: Starting - reading configuration files … [  OK  ]

(b) execute the command ‘radtest jdoe secret 127.0.0.1 10 testing123′. Assuming it all works you should see output something like:


[root@myserver raddb]# radtest jdoe secret 127.0.0.1 10 testing123
Sending Access-Request of id 65 to 127.0.0.1 port 1812
User-Name = “jdoe”
User-Password = “secret”
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=65, length=20


Note that the radius client password is the cleartext password specified for the client in clients.conf and the nas-port-number parameter can be any value between 0 and 2^31 so 10 is fine.

If you received the Access-Accept message then congratulations, you have radius working, if not then go back and check your configuration and permissions.

(9) You can have the radius daemon start automatically by executing ‘chkconfig radiusd on’

No comments »