3.2 Modifying the LDAP Module

You need to modify the following attributes in the ldap module located at:

  • SLES 11: /etc/raddb/modules/ldap

  • SLES 12: /etc/raddb/mods-available/ldap





hostname or IP address

You can use either the hostname or the hostname or IP address of the LDAP server based on the SSL CertificateDNS or SSL CertificateIP. Ensure that the server name you use here matches with the server name in the DN attribute of the eDirectory LDAP server certificate.

By default, the eDirecttory LDAP server uses SSL Certificate DNS.


DN of the RADIUS administrator in eDirectory

DN of the RADIUS administrator under which LDAP searches are performed.


password of the RADIUS administrator in eDirectory

The pasword authenticates the DN of the RADIUS administrator.


The DN of the container that stores the RADIUS users and profile objects

The RADIUS server looks for objects in the subtree under this basedn. If you want multiple search bases, you can create multiple LDAP modules. For an example, refer to Example for Creating Multiple Instances of an LDAP Module.



You can use the LDAP search filter to locate the user object by using name supplied by the RADIUS client during authentication.



If the value is set to yes, it creates a secure connection on port 389.

IMPORTANT: Ensure that the tls_mode attribute is either commented or the tls_mode is set to no and the port is set to 389.


Full path of the certificate file in the UNIX file system.

A PEM or Base 64 encoded file that contains the CA certificates.



By setting the value of this attribute to demand, you configure FreeRADIUS to verify the certificate. The authentication fails if a certificate does not verify.



You can use this attribute to map the RADIUS dictionary attributes with LDAP directory attributes.



By setting the value of this attribute to nspmPassword, you configure FreeRADIUS to enable users to use their Universal Passwords for RADIUS authentication.

The nspmPassword string is not case sensitive. For example, you can use either nspmPassword or nspmpassword.

IMPORTANT:Ensure that you have enabled Universal Password for eDirectory. For more information, refer to Prerequisites for Configuring the FreeRADIUS Server.



An eDirectory account policy check is enabled by default. By setting the value of this attribute to no, you disable the eDirectory account policy check and intruder detection in eDirectory.

NOTE:If a user has grace logins, they are used up when the user authenticates through RADIUS. This might lock the user's account without warning.

The advantages of an eDirectory account policy check are:

  • The existing eDirectory policies on the user accounts can still be applied after integrating with RADIUS.

  • eDirectory intruder detection is enabled.

IMPORTANT:If you find the performance of the RADIUS servers unsatisfactory, you can disable the eDirectory account policy check, but there are security risks.



By setting the value of this attribute to dialupAccess, you configure FreeRADIUS to allow or deny access to an user. This attribute should be present and set to either true or false for each user. If you do not want to use this attribute to control access to the user, you need to comment out access_attr = dialupAccess.

For steps to specify this attribute to the user, see Modifying RADIUS Users.

For more detailed explanation of the above attributes, refer to the /usr/share/doc/packages/freeradius-server-doc/rlm_ldap file.

After modifying the LDAP module, you need to enable the module and specify ldap in the post-authentication section of the /etc/raddb/sites-available/default file. For more information, refer to Enabling the LDAP Module in the Configuration File.

3.2.1 Example of a Modified LDAP Module

         server = "eDir.test.com"
         identity = "cn=admin,o=org"
         password = secret
         basedn = "o=org"
         filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
         #base_filter = "(objectclass=radiusprofile)"
         ldap_connections_number = 5
         timeout = 4
         timelimit = 3
         net_timeout = 1
         # Set this to 'yes' to use TLS encrypted connections
         # to the LDAP database by using the StartTLS extended operation.
          # The StartTLS operation is supposed to be used with normal ldap       
         # connections instead of using ldaps connections           
         start_tls = yes
         cacertfile = /path/to/cacert.pem
         # cacertdir = /path/to/ca/dir/
         # certfile = /path/to/radius.crt
         # keyfile  = /path/to/radius.key
         # randfile = /path/to/rnd
         require_cert = "demand"
        # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
        # profile_attribute = "radiusProfileDn"
        #access_attr = "dialupAccess"
        dictionary_mapping = ${confdir}/ldap.attrmap
        # password_attribute = userPassword
        edir_account_policy_check = no
        #  Group membership checking.  Disabled by default.
        # groupname_attribute = cn
        # groupmembership_filter =  "(|(&(objectClass=GroupOfNames)(member=%{LdapUserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        # groupmembership_attribute = radiusGroupName
        # compare_check_items = yes
        # do_xlat = yes
        # access_attr_used_for_allow = yes

3.2.2 Example for Creating Multiple Instances of an LDAP Module

If you want multiple search bases, you can create multiple LDAP modules by using the following syntax in the module section of the etc/raddb/modules/ldap.conf file.


       ldap ldap1 
        attribute = value
        attribute = value
       ldap ldap2 
        attribute = value
        attribute = value
       ldap ldap3 
        attribute = value
        attribute = value

You can use the configured modules in the authorize, authenticate, and post-authenticate sections by specifying the module name and instance name. For example:

       ldap ldap1
       ldap ldap2