Recent Changes - Search:

Bob Brandt

Linux Projects


Server Projects

Desktop Projects

Novell Projects


VMware Projects


N900 (Maemo) Projects


Python Projects


OpenOffice.org Projects


Other Projects


PmWiki

edit SideBar

Installing FreeRadius on SLES10 configured for eDirectory

SLES.FreeRadius History

Show minor edits - Show changes to markup

March 22, 2011, at 11:02 AM by 137.191.238.232 -
Changed line 173 from:
  • http://en.opensuse.org/RadiusServerHOWTO
to:
  • http://www.linuxjournal.com/article/8151
April 03, 2009, at 02:17 PM by 82.141.254.184 -
Added lines 12-13:

I also had some minor problems with permissions on the cert.b64 file (make sure radiusd user and group can see the file)

April 03, 2009, at 02:17 PM by 82.141.254.184 -
Changed lines 7-8 from:

Copy this file (with your specific modifications) and export your eDirectory Organizational CA (without private key) as Base64 to /etc/raddb/certs/cert.b64

to:

Copy this file (with your specific modifications) and export your eDirectory Self-Signed CA (without private key) as Base64 to /etc/raddb/certs/cert.b64

January 15, 2009, at 02:27 PM by 82.141.254.184 -
Changed lines 80-81 from:
	secret = opwradius
	shortname = opw
to:
	secret = companysecret
	shortname = company
Changed lines 94-96 from:

ldap_identity = "cn=RadiusAdmin, ou=RemoteAccess , o=opw" ldap_password = R@d1us@dmin ldap_basedn = "o=opw"

to:

ldap_identity = "cn=RadiusAdmin,ou=RemoteAccess,o=tree" ldap_password = thisisnottherealpassword ldap_basedn = "o=tree"

Changed line 102 from:
		server = "nds1.opw.ie"
to:
		server = "ldap1.domain.name"
Changed line 123 from:
		server = "nds2.opw.ie"
to:
		server = "ldap2.domain.name"
January 15, 2009, at 02:22 PM by 82.141.254.184 -
Deleted line 3:
Deleted line 4:
Changed lines 169-171 from:
  • http://www.novell.com/coolsolutions/tip/15922.html
  • http://www.novell.com/documentation/edir_radius/index.html?page=/documentation/edir_radius/radadmin/data/btuadmy.html
  • http://wiki.novell.com/index.php/Recreating_Server_Certificates_on_OES_Linux
to:
  • http://www.novell.com/coolsolutions/tip/15922.html
  • http://www.novell.com/documentation/edir_radius/index.html
  • http://en.opensuse.org/RadiusServerHOWTO
January 15, 2009, at 02:20 PM by 82.141.254.184 -
Added lines 14-16:

If you run into any problems just run the following command to see all the necessary troubleshooting output:

radiusd -A -X
January 15, 2009, at 02:18 PM by 82.141.254.184 -
Changed line 11 from:

You might also want to create a link

to:

You might also want to create a link to the init.d script.

January 15, 2009, at 02:17 PM by 82.141.254.184 -
Changed lines 12-13 from:

ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd

to:
ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd
January 15, 2009, at 02:15 PM by 82.141.254.184 -
Changed lines 17-23 from:
  1. radiusd.conf -- FreeRADIUS server configuration file.
  2. Author: Bob Brandt (projects@brandt.ie)
  3. Redundant LDAP Configuration
to:
  1. #
  2. /etc/raddb/radiusd.conf #
  3. #
  4. Author: Bob Brandt (projects@brandt.ie) #
  5. #
  6. FreeRADIUS Redundant LDAP Configuration #
  7. #
January 15, 2009, at 02:14 PM by 82.141.254.184 -
Changed lines 17-26 from:
  1. radiusd.conf -- FreeRADIUS server configuration file.
  2. Redundant LDAP Configuration
  3. http://www.freeradius.org/
  4. http://www.novell.com/documentation/edir_radius/index.html
  5. http://en.opensuse.org/RadiusServerHOWTO
to:
  1. radiusd.conf -- FreeRADIUS server configuration file.
  2. Author: Bob Brandt (projects@brandt.ie)
  3. Redundant LDAP Configuration
January 15, 2009, at 02:12 PM by 82.141.254.184 -
Changed lines 11-12 from:

You might also want to create a link ln -s

to:

You might also want to create a link ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd

January 15, 2009, at 02:11 PM by 82.141.254.184 -
Changed lines 16-159 from:
to:
  1. radiusd.conf -- FreeRADIUS server configuration file.
  2. Redundant LDAP Configuration
  3. http://www.freeradius.org/
  4. http://www.novell.com/documentation/edir_radius/index.html
  5. http://en.opensuse.org/RadiusServerHOWTO

prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct

  1. Location of config and logfiles.

confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid

user = radiusd group = radiusd

max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024

bind_address = * port = 0

hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = after lower_pass = no nospace_user = after nospace_pass = no

checkrad = ${sbindir}/checkrad

  1. SECURITY CONFIGURATION

security {

	max_attributes = 200
	reject_delay = 1
	status_server = yes

}

  1. CLIENTS CONFIGURATION

client 0.0.0.0/0 {

	secret = opwradius
	shortname = opw

}

  1. THREAD POOL CONFIGURATION

thread pool {

	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0

}

  1. LDAP Information

ldap_identity = "cn=RadiusAdmin, ou=RemoteAccess , o=opw" ldap_password = R@d1us@dmin ldap_basedn = "o=opw" ldap_tls_cacertfile = "/etc/raddb/certs/cert.b64"

  1. MODULE CONFIGURATION

modules {

	ldap ldap1 {	
		server = "nds1.opw.ie"
		identity = ${ldap_identity}
		password = ${ldap_password}
		basedn = ${ldap_basedn}
		filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))" 
		base_filter = "(objectclass=inetOrgPerson)" 

		start_tls = yes 
		tls_cacertfile	= ${ldap_tls_cacertfile}
		tls_require_cert = "demand" 
		access_attr = "dialupAccess" 
		dictionary_mapping = ${raddbdir}/ldap.attrmap 
		ldap_connections_number = 5 
		password_attribute = nspmPassword
		timeout = 4 
		timelimit = 3 
		net_timeout = 1 
		edir_account_policy_check = yes 
	}	

	ldap ldap2 {	
		server = "nds2.opw.ie"
		identity = ${ldap_identity}
		password = ${ldap_password}
		basedn = ${ldap_basedn}
		filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))" 
		base_filter = "(objectclass=inetOrgPerson)" 

		start_tls = yes 
		tls_cacertfile	= ${ldap_tls_cacertfile}
		tls_require_cert = "demand" 
		access_attr = "dialupAccess" 
		dictionary_mapping = ${raddbdir}/ldap.attrmap 
		ldap_connections_number = 5 
		password_attribute = nspmPassword
		timeout = 4 
		timelimit = 3 
		net_timeout = 1 
		edir_account_policy_check = yes 
	}	

}

authorize {

	ldap1
	ldap2

}

authenticate {

	Auth-Type LDAP {
		ldap1
		ldap2
	}

}

post-auth {

	Post-Auth-Type REJECT {
		ldap1
		ldap2
	}

}

January 15, 2009, at 02:11 PM by 82.141.254.184 -
Changed lines 3-9 from:
to:

FreeRadius is a very versatile, powerful application for network RADIUS authentication. Perhaps too powerful! The problem is that is can seem to have too many options, and unless your a RADIUS expert, your screwed!

What I needed for a customer was way to "proxy" LDAP/eDirectory authentication through RADIUS, and perhaps define redundant LDAP servers. That's all!

Through a great deal of research, trial and error; I can up with the following slimmed down configuration file. Simple, Secure and Functional!

Copy this file (with your specific modifications) and export your eDirectory Organizational CA (without private key) as Base64 to /etc/raddb/certs/cert.b64

You might also want to create a link ln -s

/etc/raddb/radiusd.conf

(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:300px;":)


(:divend:)

November 04, 2007, at 09:28 PM by 217.75.11.25 -
Added lines 1-13:

(:title Installing FreeRadius on SLES10 configured for eDirectory:)

References:

  • http://www.novell.com/coolsolutions/tip/15922.html
  • http://www.novell.com/documentation/edir_radius/index.html?page=/documentation/edir_radius/radadmin/data/btuadmy.html
  • http://wiki.novell.com/index.php/Recreating_Server_Certificates_on_OES_Linux
Edit - History - Print - Recent Changes - Search
Page last modified on March 22, 2011, at 11:02 AM