You need to modify the following attributes in the ldap module located at:
SLES 11: /etc/raddb/modules/ldap
SLES 12: /etc/raddb/mods-available/ldap
|
Attributes |
Value |
Remarks |
|---|---|---|
|
server |
hostname or IP address |
You can use either the hostname or the hostname or IP address of the LDAP server based on the SSL CertificateDNS or SSL CertificateIP. Ensure that the server name you use here matches with the server name in the DN attribute of the eDirectory LDAP server certificate. By default, the eDirecttory LDAP server uses SSL Certificate DNS. |
|
identity |
DN of the RADIUS administrator in eDirectory |
DN of the RADIUS administrator under which LDAP searches are performed. |
|
password |
password of the RADIUS administrator in eDirectory |
The pasword authenticates the DN of the RADIUS administrator. |
|
basedn |
The DN of the container that stores the RADIUS users and profile objects |
The RADIUS server looks for objects in the subtree under this basedn. If you want multiple search bases, you can create multiple LDAP modules. For an example, refer to Example for Creating Multiple Instances of an LDAP Module. |
|
filter |
(cn=%{Stripped-User-Name:-%{User-Name}}) |
You can use the LDAP search filter to locate the user object by using name supplied by the RADIUS client during authentication. |
|
start_tls |
no |
If the value is set to yes, it creates a secure connection on port 389. IMPORTANT: Ensure that the tls_mode attribute is either commented or the tls_mode is set to no and the port is set to 389. |
|
cacertfile |
Full path of the certificate file in the UNIX file system. |
A PEM or Base 64 encoded file that contains the CA certificates. |
|
require_cert |
demand |
By setting the value of this attribute to demand, you configure FreeRADIUS to verify the certificate. The authentication fails if a certificate does not verify. |
|
dictionary_mapping |
${raddbdir}/ldap.attrmap |
You can use this attribute to map the RADIUS dictionary attributes with LDAP directory attributes. |
|
password_attribute |
nspmPassword |
By setting the value of this attribute to nspmPassword, you configure FreeRADIUS to enable users to use their Universal Passwords for RADIUS authentication. The nspmPassword string is not case sensitive. For example, you can use either nspmPassword or nspmpassword. IMPORTANT:Ensure that you have enabled Universal Password for eDirectory. For more information, refer to Prerequisites for Configuring the FreeRADIUS Server. |
|
edir_account_policy_check |
yes |
An eDirectory account policy check is enabled by default. By setting the value of this attribute to no, you disable the eDirectory account policy check and intruder detection in eDirectory. NOTE:If a user has grace logins, they are used up when the user authenticates through RADIUS. This might lock the user's account without warning. The advantages of an eDirectory account policy check are:
IMPORTANT:If you find the performance of the RADIUS servers unsatisfactory, you can disable the eDirectory account policy check, but there are security risks. |
|
access_attr |
dialupAccess |
By setting the value of this attribute to dialupAccess, you configure FreeRADIUS to allow or deny access to an user. This attribute should be present and set to either true or false for each user. If you do not want to use this attribute to control access to the user, you need to comment out access_attr = dialupAccess. For steps to specify this attribute to the user, see Modifying RADIUS Users. |
For more detailed explanation of the above attributes, refer to the /usr/share/doc/packages/freeradius-server-doc/rlm_ldap file.
After modifying the LDAP module, you need to enable the module and specify ldap in the post-authentication section of the /etc/raddb/sites-available/default file. For more information, refer to Enabling the LDAP Module in the Configuration File.
ldap
{
server = "eDir.test.com"
identity = "cn=admin,o=org"
password = secret
basedn = "o=org"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls
{
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended operation.
# The StartTLS operation is supposed to be used with normal ldap
# connections instead of using ldaps connections
start_tls = yes
cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
dictionary_mapping = ${confdir}/ldap.attrmap
# password_attribute = userPassword
edir_account_policy_check = no
# Group membership checking. Disabled by default.
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{LdapUserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
If you want multiple search bases, you can create multiple LDAP modules by using the following syntax in the module section of the etc/raddb/modules/ldap.conf file.
modules
{
...........
...........
ldap ldap1
{
attribute = value
attribute = value
...............
...............
}
ldap ldap2
{
attribute = value
attribute = value
...............
...............
}
ldap ldap3
{
attribute = value
attribute = value
...............
...............
}
}
You can use the configured modules in the authorize, authenticate, and post-authenticate sections by specifying the module name and instance name. For example:
authorize
{
.....
.....
ldap ldap1
ldap ldap2
.....
.....
}