Novell Doc: Integrating Novell eDirectory with FreeRADIUS - Configuring Token Authentication for FreeRadius on SLES 10

7.2 Configuring Token Authentication for FreeRadius on SLES 10

Ensure that you meet all the requirements mentioned in Section 7.1, Prerequisites for Token Authentication before proceeding.

In the /etc/raddb/radiusd.conf file, uncomment the following lines in the authenticate section:

authenticate {
              ...
              ...
              Auth-Type LDAP {
                         
                               ldap
                             }
              ...

Install the RADIUS LDAP Extension RPM:
1. Download the novell-radius-ldap-extension-1.1.0-3.zip file from the eDirectory integration with FreeRADIUS Web page.
2. Install the novell-radius-ldap-extensions-1.1.x.rpm. For example,
```
#rpm -ivh novell-radius-ldap-extensions-1.1.0-2.rpm
```
Add the RADIUS LDAP extension informaton:
1. Edit the radauth_ldapxtn.ldif file and enter the appropriate LDAP Server DN. For example, you can use the following command to get the LDAP Server DN by appropriately modifying the hostname, port, and trusted root certificate:
```
/opt/novell/eDirectory/bin/ldapsearch -h ldap-server-1.acme.org -p 636 -e /root/TrustedRootCert.der -s base -L | grep dsaName | cut -c 10- | sed -e "s/cn=/dn: cn=LDAP Server - /"
```
2. Modify the LDAP Server DN to add the RADIUS LDAP Extension information by appropriately modifying the hostname, port, trusted root certificate, and adminDN:
```
/opt/novell/eDirectory/bin/ldapmodify -h ldap-server-1.acme.org a-p 636 -D cn=admin,o=org -W -e /root/TrustedRootCert.der -f radauth_ldapxtn.ldif
```
  IMPORTANT:For deleting the RADIUS LDAP extension information, replace add: extensionInfo with delete: extensionInfo in the radauth_ldapxtn.ldif file and run the above ldapmodify command.
3. Restart LDAP Server by running the following commands in sequence:
```
/opt/novell/eDirectory/sbin/nldap -u
```
```
/opt/novell/eDirectory/sbin/nldap -l
```
4. Execute the following command to check that the module is loaded:
```
/opt/novell/eDirectory/bin/ldapsearch -h ldap-server-1.acme.org -p 636 -e /root/TrustedRootCert.der -b "" -s base supportedExtension | grep 510.100
```
  If the module is loaded correctly, you see the following reply:
```
supportedExtension: 2.16.840.1.113719.1.510.100.1
```
  If the module is not loaded correctly, restart eDirectory and verify that the module is correctly loaded.
Set the default login sequence.

From eDirectory: Use iManager to set the default login sequence for a user in eDirectory.
1. In Novell iManager, click the Roles and Tasks tab.
2. Click Users > Modify Users.
  
  You can select a single object or multiple objects, or perform a simple or advanced selection of the User to be modified.
3. To modify a single object, click Select a single object, specify the Username or use the Object Selector icon to select it, then click OK.
4. Click NMAS Login Sequences.
5. Select the token authentication method in the default login sequence.
6. Click OK.
  
  This sets the token method as the default for the selected user.

From RADIUS Server: Delete all default authentication entries in the /etc/raddb/users configuration file and add the token method as default sequence.

For example:

DEFAULT eDir-Auth-Option := "digipass"
              Fall-Through = 1

The digipass method is selected as the default token method to authenticate all the users in the eDirectory.

IMPORTANT:The default token method set in the Radius server takes precedence over the eDirectory method for authenticating users.