Novell Documentation: eDirectory with FreeRADIUS - Prerequisites for Configuring the FreeRADIUS Server

Prerequisites for Configuring the FreeRADIUS Server

Download and install the following:

FreeRADIUS 1.0.2: Install FreeRADIUS 1.0.2. For installation instructions, refer to Installing FreeRADIUS.
Novell eDirectory 8.7.1 or later: For installation instructions, refer to the Novell eDirectory 8.7.1 Administration Guide.
After installing eDirectory, you need to configure it using iManager. Refer to Configuring eDirectory for more information.

You also need to extract the self-signed certificate of the Certificate Authority (CA). For more information, refer to Extracting the Self-Signed Certificate of the Certificate Authority.
Novell iManager 2.0.x or later: For installing iManager 2.0.x, refer to the Novell iManager 2.0.x Administration Guide.
For installing iManager 2.5, refer to the Novell iManager 2.5 Administration Guide.

You need to download the RADIUS iManager plug-in from the Novell Forge site.

Security considerations:

Ensure that you meet the security considerations as discussed in Security Considerations.

The following prerequisite tasks explain how to configure eDirectory so that you can log in to the system as a system administrator.

Configuring eDirectory

You need to configure the following in eDirectory using iManager:

Enabling Universal Password for eDirectory Users

Ensure that you enable universal password for the users in eDirectory. After enabling, you need to set the universal password either manually or by logging in. For more information, refer to the Novell Modular Authentication Services 2.3.x Administration Guide .

Creating the RADIUS Administrator Object

An Administrator object is a User object.

For information on creating an RADIUS Administrator object in eDirectory, refer to the Creating an Object section in the Novell eDirectory Administration Guide.

You need to mention the FDN of the RADIUS Administrator object while modifying the attributes in the LDAP module.

Granting Administration Rights for the RADIUS Administrator

Grant the RADIUS administrator the write right over the ACL attribute of the user object whose universal password has to be read. By granting this right, the RADIUS administrator will gain the administrative rights over that user object.

The eDirectory administrator can also be the RADIUS administrator. For more information on eDirectory rights, refer to the Novell eDirectory Administration Guide.

Granting Rights to RADIUS Administrator to Retrieve Password

By default, the administrator does not have the right to read universal password. eDirectory administrator will modify the password policy to enable the RADIUS Administrator to read universal password.

There are two possible scenarios of granting rights to the RADIUS administrator to retrieve password:

Scenario 1: If the Password Management 2.0.2 for Novell eDirectory for iManager 2.x plug-in is installed.

Scenario 2: If Password Management 2.0.2 for Novell eDirectory for iManager 2.x plug-in is not installed.

Scenario 1

If the Password Management 2.0.2 for Novell eDirectory for iManager 2.x plug-in is installed, complete the following steps:

In iManager, click the Roles and Tasks button .
Click Passwords > Password Policies
1. Select the password policy being used.
2. Click Edit.
Click Universal Password > Configuration Options.
1. Select Allow admin to retrieve passwords from Universal Password Retrieval.
2. Click OK.

Scenario 2

If Password Management 2.0.2 for Novell eDirectory for iManager 2.x plug-in is not installed, complete the following steps:

In iManager, click the Roles and Tasks button .
Click eDirectory Administration > Modify Object.
1. Select Security Container from the Object Selector.
1. Select Universal Password On from Password Policies.
1. Click OK.
Select General tab.
1. Edit the nspmConfigurationOptions attribute and add 32 to the value already shown.
2. Click OK.

IMPORTANT: If Password Management 2.0.2 for Novell eDirectory for iManager 2.x plug-in is not installed, download the Password Management 2.0.2 for Novell eDirectory for iManager 2.x from the Novell Download site and follow the Scenario 1 procedure.

Extracting the Self-Signed Certificate of the Certificate Authority

You need to extract the self-signed certificate of the Certificate Authority in base 64 format. For information on extracting the certificate, refer to the Novell Certificate Server 2.7.x Administration Guide.

You need to mention the extracted path and the certificate filename while modifying the attributes in the LDAP module of the radiusd.conf configuration file. The two configuration parameters are:

Parameter	Description
tls_cacertfile	Specifies the full path of a certificate file in the UNIX file system.
tls_cacertdir	Specifies the full path of a directory containing certificates.

NOTE: If either of the parameter is specified, then the RADIUS server administrator has to make sure that the (UNIX) user having RADIUS server rights also has right to read the certificate files.