FreeRadius+OpenLDAP
Posted by admin on 03 May 2009 at 06:33 pm | Tagged as: Centos 5.x, IT Stuff, Linux, authentication, ldap, openldap, radius
How to make freeradius use openldap as an authentication source.
This was tested on Centos 5.3. Freeradius and OpenLDAP were installed using the “Add/Remove Software” item on the Applications menu - no rocket science here! The article assumes that you already have a working ldap server (or see my article on Configuring OpenLDAP).
(1) In radiusd.conf edit the modules section for ldap so that it reads something like:
ldap {
server = "myhost.mydomain.com"
identity = "cn=manager,dc=mydomain,dc=com"
password = mysecret
basedn = "dc=mydomain,dc=com"
filter = "(uid=%u)"
start_tls = no
access_attr = uid
dictionary_mapping = $(raddbdir/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
(2) Find the authorize section of radiusd.conf find the line which starts #ldap and remove the '#' so it reads just ldap
(3) Again in radiusd.conf, but in the authentication section, find the lines:
# Auth-Type LDAP {
# ldap
#}
and remove the '#' so these lines read
Auth-Type LDAP {
ldap
}
(4) In the /etc/raddb/users file find the section which reads
DEFAULT Auth-Type = System
Fall-Through = 1
and replace it with
DEFAULT Auth-Type = LDAP
Fall-Through = 1
(5) Restart the radiusd daemon /etc/init.d/radiusd restart
(6) Assuming that your /etc/raddb/clients.conf has a section that reads
clients 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
and also that you have an entry in your ldap directory like
dn: uid=john,ou=users,dc=mydomain,dc=com
uid: john
cn: john
givenName: john
sn: doe
mail: john@mydomain.com
mailRoutingAddress: john@mail.prod.mydomain.com
mailHost: mail.prod.mydomain.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$EwO.4wlT$n5KoIfFE8qcDcPAC12vxn2
shadowLastChange: 14360
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /home/john
gecos: john doe
and that jdoe’s password is mysecret, you can test your radius configuration by executing
radtest john mysecret 127.0.0.1 10 testing123
You should see a reply like
Sending Access-Request of id 65 to 127.0.0.1 port 1812
User-Name = "jdoe"
User-Password = "secret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=65, length=20
Leave a reply
You must be logged in to post a comment.
