You need to modify the following attributes in the ldap module in the install_path/etc/raddb/radiusd.conf file:
| Attributes | Value | Remarks |
|---|---|---|
server |
hostname or IP address |
You can mention either hostname or IP address of the LDAP server based on the SSL CertificateDNS or SSL CertificateIP. Make sure that the server name you use here matches with the server name in the DN attribute of the eDirectory LDAP server certificate. By default, the eDirecttory LDAP server uses SSL CertificateDNS. |
identity |
FDN of the RADIUS Server object in eDirectory |
|
password |
password of the RADIUS Server object in eDirectory |
|
basedn |
The DN of the container that stores the RADIUS users and profile objects |
The RADIUS server looks for objects in the subtree under this basedn. If you want multiple search bases, you can create multiple LDAP modules. For example, refer to Example for Creating Multiple Instances of LDAP Module. |
filter |
(cn=%{Stripped-User-Name:-%{User-Name}}) |
|
start_tls |
yes |
Creates a secure connection on port 389. IMPORTANT: Make sure that the tls_mode attribute is commented out and port is set to 389. |
tls_mode |
conditional |
Creates a secure connection on port 636. IMPORTANT: Make sure that the strat_tls attribute is commented out and port is set to 636. |
tls_cacertfile |
Path of the self-signed certificate of the CA who has issued certificate to the eDirectory server |
|
tls_require_cert |
demand |
|
dictionary_mapping |
${raddbdir}/ldap.attrmap |
|
password_attribute |
nspmPassword |
By setting the value of this attribute to nspmPassword, you configure FreeRADIUS to enable users to use their universal passwords for RADIUS authentication. NOTE: nspmPassword is not case sensitive. For example, you can use either nspmPassword or nspmpassword. IMPORTANT: Ensure that you have enabled universal password for eDirectory. For more information, refer to Prerequisites for Configuring the FreeRADIUS Server. |
edir_account_policy_check |
yes |
eDirectory account policy check is enabled by default. By setting the value of this attribute to no, you disable the eDirectory account policy check and intruder detection in eDirectory. NOTE: If a user has grace logins, they are used up when the user authenticates through RADIUS. This might lock the user's account without warning. The advantages of eDirectory account policy check are:
IMPORTANT: If you find the performance of the RADIUS servers low, you can disable the eDirectory account policy check at the cost of security risks. |
access_attr |
dialupAccess |
By setting the value of this attribute to dialupAccess, you configure FreeRADIUS to allow or deny access to an user. This attribute should be present and set to either true or false for each user. If you do not want to use this attribute to control access to the user, you need to comment out access_attr = dialupAccess. For procedural steps to specify this attribute to the user, see Modifying RADIUS Users. |
For more detailed explanation of the above attributes, refer to the install_path/doc/rlm_ldap file.
After modifying the LDAP module, you need to enable the module in the authorization section and specify 'ldap' in the post-authentication section of the radiusd.conf file. For more information, refer to:
ldap { server = "eDir.test.com"
identity = "cn=admin,o=org"
password = secret
basedn = "o=org"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = yes
tls_cacertfile = /opt/etc/raddb/certs/cacert.b64
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = nspmPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
edir_account_policy_check = yes
}
If you want multiple search bases, you can create multiple LDAP modules, by using the following syntax in the module section of the radiusd.conf.
modules {
...........
...........
ldap ldap1 {
attribute = value
attribute = value
...............
...............
}
ldap ldap2 {
attribute = value
attribute = value
...............
...............
}
ldap ldap3 {
attribute = value
attribute = value
...............
...............
}
}
You can use the configured modules in authorize, authenticate and post-authenticate sections by specifying the module name and instance name. For example:
authorize{
.....
.....
ldap ldap1
ldap ldap2
.....
.....
}