Ensure that you meet all the requirements mentioned in Prerequisites for Token Authentication before proceeding.
Uncomment the following lines in the authenticate section:
authenticate {
...
...
Auth-Type LDAP {
ldap
}
...
The above configuration section is present in the following configuration files:
SLES 10: /etc/raddb/radiusd.conf file
SLES 11: /etc/raddb/sites-available/default
Comment or delete the line "password_attribute = nspmPassword" in the ldap section.
ldap {
...
password_atribute = nspmPassword
...
}
...
The above configuration section is present in the following configuration files:
SLES 10: /etc/raddb/radiusd.conf
SLES 11: /etc/raddb/modules/ldap
Install the RADIUS LDAP Extension RPM:
Download the novell-radius-ldap-extension-1.1.0-3.zip file from the eDirectory integration with FreeRADIUS Web page.
Install the novell-radius-ldap-extensions-1.1.x.rpm. For example,
#rpm -ivh novell-radius-ldap-extensions-1.1.0-2.rpm
Add the RADIUS LDAP extension information:
Edit the radauth_ldapxtn.ldif file and enter the appropriate LDAP Server DN. For example, you can use the following command to get the LDAP Server DN by appropriately modifying the hostname, port, and trusted root certificate:
/opt/novell/eDirectory/bin/ldapsearch -h ldap-server-1.acme.org -p 636 -e /root/TrustedRootCert.der -s base -L | grep dsaName | cut -c 10- | sed -e "s/cn=/dn: cn=LDAP Server - /"
Modify the LDAP Server DN to add the RADIUS LDAP Extension information by appropriately modifying the hostname, port, trusted root certificate, and adminDN:
/opt/novell/eDirectory/bin/ldapmodify -h ldap-server-1.acme.org a-p 636 -D cn=admin,o=org -W -e /root/TrustedRootCert.der -f radauth_ldapxtn.ldif
IMPORTANT:For deleting the RADIUS LDAP extension information, replace add: extensionInfo with delete: extensionInfo in the radauth_ldapxtn.ldif file and run the above ldapmodify command.
Restart LDAP Server by running the following commands in sequence:
/opt/novell/eDirectory/sbin/nldap -u
/opt/novell/eDirectory/sbin/nldap -l
Execute the following command to check that the module is loaded:
/opt/novell/eDirectory/bin/ldapsearch -h ldap-server-1.acme.org -p 636 -e /root/TrustedRootCert.der -b "" -s base supportedExtension | grep 510.100
If the module is loaded correctly, you see the following reply:
supportedExtension: 2.16.840.1.113719.1.510.100.1
If the module is not loaded correctly, restart eDirectory and verify that the module is correctly loaded.
Set the default login sequence.
From eDirectory: Use iManager to set the default login sequence for a user in eDirectory.
In Novell iManager, click the Roles and Tasks tab.
Click Users > Modify Users.
You can select a single object or multiple objects, or perform a simple or advanced selection of the User to be modified.
To modify a single object, click Select a single object, specify the Username or use the Object Selector icon to select it, then click OK.
Click NMAS Login Sequences.
Select the token authentication method in the default login sequence.
Click OK.
This sets the token method as the default for the selected user.
From RADIUS Server: Delete all default authentication entries in the /etc/raddb/users configuration file and add the token method as default sequence.
For example:
DEFAULT eDir-Auth-Option := "digipass"
Fall-Through = 1
The digipass method is selected as the default token method to authenticate all the users in the eDirectory.
IMPORTANT:The default token method set in the RADIUS server takes precedence over the eDirectory method for authenticating users.
NOTE:There is a a known issue with FreeRADIUS server on SLES 11 when it is configured for token authentication. To work around this issue, comment the files parameter in the authorize section of the /etc/raddb/sites-enabled/inner-tunnel file or delete the file.