|
SLES /
Installing FreeRadius on SLES10 configured for eDirectorySLES.FreeRadius HistoryShow minor edits - Show changes to markup March 22, 2011, at 11:02 AM
by -
Changed line 173 from:
to:
April 03, 2009, at 02:17 PM
by -
Added lines 12-13:
I also had some minor problems with permissions on the cert.b64 file (make sure radiusd user and group can see the file) April 03, 2009, at 02:17 PM
by -
Changed lines 7-8 from:
Copy this file (with your specific modifications) and export your eDirectory Organizational CA (without private key) as Base64 to /etc/raddb/certs/cert.b64 to:
Copy this file (with your specific modifications) and export your eDirectory Self-Signed CA (without private key) as Base64 to /etc/raddb/certs/cert.b64 January 15, 2009, at 02:27 PM
by -
Changed lines 80-81 from:
secret = opwradius shortname = opw to:
secret = companysecret shortname = company Changed lines 94-96 from:
ldap_identity = "cn=RadiusAdmin, ou=RemoteAccess , o=opw" ldap_password = R@d1us@dmin ldap_basedn = "o=opw" to:
ldap_identity = "cn=RadiusAdmin,ou=RemoteAccess,o=tree" ldap_password = thisisnottherealpassword ldap_basedn = "o=tree" Changed line 102 from:
server = "nds1.opw.ie" to:
server = "ldap1.domain.name" Changed line 123 from:
server = "nds2.opw.ie" to:
server = "ldap2.domain.name" January 15, 2009, at 02:22 PM
by -
Deleted line 3:
Deleted line 4:
Changed lines 169-171 from:
to:
January 15, 2009, at 02:20 PM
by -
Added lines 14-16:
If you run into any problems just run the following command to see all the necessary troubleshooting output: radiusd -A -X
January 15, 2009, at 02:18 PM
by -
Changed line 11 from:
You might also want to create a link to:
You might also want to create a link to the init.d script. January 15, 2009, at 02:17 PM
by -
Changed lines 12-13 from:
to:
ln -s /etc/init.d/radiusd /usr/sbin/rcradiusd
January 15, 2009, at 02:15 PM
by -
Changed lines 17-23 from:
to:
January 15, 2009, at 02:14 PM
by -
Changed lines 17-26 from:
to:
January 15, 2009, at 02:12 PM
by -
Changed lines 11-12 from:
You might also want to create a link ln -s to:
You might also want to create a link
January 15, 2009, at 02:11 PM
by -
Changed lines 16-159 from:
to:
prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct
confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = after lower_pass = no nospace_user = after nospace_pass = no checkrad = ${sbindir}/checkrad
security { max_attributes = 200 reject_delay = 1 status_server = yes }
client 0.0.0.0/0 { secret = opwradius shortname = opw }
thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 }
ldap_identity = "cn=RadiusAdmin, ou=RemoteAccess , o=opw" ldap_password = R@d1us@dmin ldap_basedn = "o=opw" ldap_tls_cacertfile = "/etc/raddb/certs/cert.b64"
modules { ldap ldap1 {
server = "nds1.opw.ie"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
ldap ldap2 {
server = "nds2.opw.ie"
identity = ${ldap_identity}
password = ${ldap_password}
basedn = ${ldap_basedn}
filter = "(&(objectClass=inetOrgPerson)(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=inetOrgPerson)"
start_tls = yes
tls_cacertfile = ${ldap_tls_cacertfile}
tls_require_cert = "demand"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
timeout = 4
timelimit = 3
net_timeout = 1
edir_account_policy_check = yes
}
} authorize { ldap1 ldap2 } authenticate { Auth-Type LDAP {
ldap1
ldap2
}
} post-auth { Post-Auth-Type REJECT {
ldap1
ldap2
}
} January 15, 2009, at 02:11 PM
by -
Changed lines 3-9 from:
to:
FreeRadius is a very versatile, powerful application for network RADIUS authentication. Perhaps too powerful! The problem is that is can seem to have too many options, and unless your a RADIUS expert, your screwed! What I needed for a customer was way to "proxy" LDAP/eDirectory authentication through RADIUS, and perhaps define redundant LDAP servers. That's all! Through a great deal of research, trial and error; I can up with the following slimmed down configuration file. Simple, Secure and Functional! Copy this file (with your specific modifications) and export your eDirectory Organizational CA (without private key) as Base64 to /etc/raddb/certs/cert.b64 You might also want to create a link ln -s /etc/raddb/radiusd.conf
(:div style="border-style:ridge; border-width:2px; background-color:#ffffcc; margin-left:50px; overflow:auto; width:650px; height:300px;":) (:divend:) November 04, 2007, at 09:28 PM
by -
Added lines 1-13:
(:title Installing FreeRadius on SLES10 configured for eDirectory:) References:
|