You need to modify the following attributes in the ldap module in the /etc/raddb/radiusd.conf file:
|
Attributes |
Value |
Remarks |
|---|---|---|
|
server |
hostname or IP address |
You can use either the hostname or the IP address of the LDAP server based on the SSL Certificate DNS or SSL CertificateIP. Ensure that the server name you use here matches the server name in the DN attribute of the eDirectory LDAP server certificate. By default, the eDirecttory LDAP server uses SSL CertificateDNS. |
|
port |
636 |
LDAP server port |
|
identity |
DN of the RADIUS administrator in eDirectory |
DN of the RADIUS administrator under which LDAP searches are performed. |
|
password |
password of the RADIUS administrator in eDirectory |
The pasword authenticates the DN of the RADIUS administrator. |
|
basedn |
The DN of the container that stores the RADIUS users and profile objects |
The RADIUS server looks for objects in the subtree under this basedn. If you want multiple search bases, you can create multiple LDAP modules. For an example, refer to Section 3.2.2, Example for Creating Multiple Instances of an LDAP Module. |
|
filter |
(cn=%{Stripped-User-Name:-%{User-Name}}) |
You can use the LDAP search filter to locate the user object by using name supplied by the RADIUS client during authentication. |
|
start_tls |
no |
If the value is set to yes, it creates a secure connection on port 389. IMPORTANT: Ensure that the tls_mode attribute is either commented or that tls_mode is set to no and the port is set to 389. |
|
tls_mode |
yes |
Creates a secure connection on port 636. IMPORTANT: Enure that the start_tls attribute is either commented or that start_tls is set to no and the port is set to 636. |
|
tls_cacertfile |
Path of the certificate file in the UNIX file system |
A PEM or Base 64 encoded file that contains the CA certificates. |
|
tls_require_cert |
demand |
By setting the value of this attribute to demand, you configure FreeRADIUS to verify the certificate. The authentication fails if a certificate does not verify. |
|
dictionary_mapping |
${raddbdir}/ldap.attrmap |
You can use this attribute to map the RADIUS dictionary attributes with LDAP directory attributes. |
|
password_attribute |
nspmPassword |
By setting the value of this attribute to nspmPassword, you configure FreeRADIUS to enable users to use their Universal Passwords for RADIUS authentication. The nspmPassword string is not case sensitive. For example, you can use either nspmPassword or nspmpassword. IMPORTANT:Ensure that you have enabled Universal Password for eDirectory. For more information, refer to Section 3.1, Prerequisites for Configuring the FreeRADIUS Server. |
|
edir_account_policy_check |
yes |
An eDirectory account policy check is enabled by default. By setting the value of this attribute to no, you disable the eDirectory account policy check and intruder detection in eDirectory. NOTE:If a user has grace logins, they are used up when the user authenticates through RADIUS. This might lock the user's account without warning. The advantages of an eDirectory account policy check are:
IMPORTANT:If you find the performance of the RADIUS servers unsatisfactory, you can disable the eDirectory account policy check, but there are security risks. |
|
access_attr |
dialupAccess |
By setting the value of this attribute to dialupAccess, you configure FreeRADIUS to allow or deny access to an user. This attribute should be present and set to either true or false for each user. If you do not want to use this attribute to control access to the user, you need to comment out access_attr = dialupAccess. For the steps to specify this attribute for the user, see Modifying RADIUS Users. |
For more detailed explanation of the attributes, refer to the /usr/share/doc/packages/freeradius/rlm_ldap file.
After modifying the LDAP module, you need to enable the module and specify ldap in the post-authenticiation section of the radiusd.conf file. For more information, refer to Section 3.3, Enabling the LDAP Module in the Configuration File.
ldap
{
server = "eDir.test.com"
port = 636
identity = "cn=admin,o=org"
password = secret
basedn = "o=org"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
# set this to ’yes’ to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 636) connections
start_tls = no
tls_mode = yes
tls_cacertfile = /opt/etc/raddb/certs/cacert.b64
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = nspmPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap- UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
edir_account_policy_check = yes
}
If you want multiple search bases, you can create multiple LDAP modules by using the following syntax in the module section of the radiusd.conf file.
modules
{
...........
...........
ldap ldap1
{
attribute = value
attribute = value
...............
...............
}
ldap ldap2
{
attribute = value
attribute = value
...............
...............
}
ldap ldap3
{
attribute = value
attribute = value
...............
...............
}
}
You can use the configured modules in the authorize, authenticate, and post-authenticate sections by specifying the module name and instance name. For example:
authorize
{
.....
.....
ldap ldap1
ldap ldap2
.....
.....
}