INSTALLATION

  • download the bzip tarball from freeradius.org to /usr/src/packages/SOURCE/
  • unpack the freeradius.spec file from the tarball to /usr/src/packages/SPECS/
  • run “rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec” and use yast to satisfy any dependencies.

Packages can be found in /usr/src/packages/RPMS/

rpm -ivh freeradius-server-libs-2.1.8-0.x86_64.rpm
rpm -ivh freeradius-server-2.1.8-0.x86_64.rpm

again, use yast to satisfy any dependencies.

CONFIGURE

change perms in /etc/raddb/certs so that the radiusd group has enough access for `radiusd -X` to start

In short, all you really need to do is:

  • configure the ldap module
    !!! note: you need to bind with a user that is authorized for password retrieval in your universal password policy
    !!! export your trees CA self signed cert to /etc/raddb/certs/rootder.b64
  • uncomment “ldap” in the authorize section of /etc/raddb/sites-enabled/inner-tunnel
    !!! note that any ldap stuff in the post auth section was causing segfaults in 2.1.8 during authentication.
  • change default_eap_type from md5 to peap in eap.conf
  • setup a client in clients.conf
/etc/raddb/modules/ldap
---------------------------------
ldap {

        server = "servername"
        identity = "cn=admin,o=org"
        password = thepassword
        basedn = "o=org"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        port = 636
        tls_mode = yes
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
        tls {
                 start_tls = no
                 #get this file from exporting the edir CA self signed cert
                 cacertfile     = /etc/raddb/certs/rootder.b64
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        password_attribute = nspmPassword
        edir_account_policy_check = yes
        # I allow everyone in my eDir to connect so I don't use the imanager / dial-in access stuff.
        #This needs to be a “yes” if you do
        access_attr_used_for_allow = no

        set_auth_type = no
}
/etc/raddb/eap.conf
---------------------------
eap {
default_eap_type = peap
...      # the rest of this file can stay as default
}
/etc/raddb/sites-enabled/inner-tunnel
--------------------------------------------------
uncomment "ldap" in the authorize section
 !!! note, any ldap config in the post-auth section is causing segfaults in version 2.1.8
 !!!Once this bug is fixed you will want to uncomment ldap in the post-auth section too
/etc/raddb/clients.conf
------------------------------
client 192.168.0.0/24 {
        secret = somesecretpasswd
        shortname = Wireless_AP
}

Now you should be able to turn on the freeradius with `radiusd -X` and watch some debug messages.

(Visited 1 times, 1 visits today)
Tags: ,
Category: SUSE Linux Enterprise Point of Service, SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Thursday, 22 April, 2010 at 4:51 pm
You can follow any responses to this entry via RSS.

Comments

  • elagrew says:

    We just recently installed Radiusd on 2 of our OES2/SLES boxes to work with wireless. We struggled with the lack of documentation and the incredible lack of help from Novell on this topic. Glad someone too the time to document something Novell should already have had documented. Thanks!

    –El

  • brunold says:

    In case you do not want to compile the freeradius packages on your own, the openSuSE build server has them precompiled for SLES 10:

    http://software.opensuse.org/search

    Simply select SLES 10 and enter freeradius and then scroll down to the 2.1.8 packages.

    Rainer

  • rogcar says:

    Thanx.
    The ldap stuff in the post auth section was causing segfaults in 2.1.8 during authentication. Has been my problem..
    Thank you !

  • rogcar says:

    I hope this work with sles 11 !!

  • klin8251 says:

    I found that a work around for the segmentation faults was to revert to an older version of the rlm_ldap libraries found in /usr/lib/freeradius/.

    I had previously installed freeradius version 2.1.3, so I just replaced the lib files from version 2.1.8 with those from version 2.1.3 (I found them in /usr/src/packages/BUILD/freeradius-server-2.1.3/src/modules/rlm_ldap/.libs/).

    Files I replaced:
    rlm_ldap-2.1.8 replaced with: rlm_ldap-2.1.3.so
    rlm_ldap.a replaced with: rlm_ldap.a (from 2.1.3)
    rlm_ldap.so -> rlm_ldap-2.1.3.so replaced with: rlm_ldap.so –> rlm_ldap-2.1.8

    If you have a more recent version of freeradius (like 2.1.7), I think that the libs from this version would work too…this was just what I had easy access to.

    Let me know if you need these files.

  • brianrbenson says:

    Interesting work around. One of us should prob submit a bug on this, as the freeradius.org bugs page didn’t have this registered last time I looked.

  • jbascom says:

    Has anyone tested 2.1.9 to see if segmentation fault is fixed?

  • gdoornenbal says:

    Hi there.

    I tried to make freeradius 2.1.X working, 2.1.9 first, later 2.1.8, but i couldn’t get LDAP authentication working. It wasn’t starting anything with ldap! At the end i figured out that i had to configure the /etc/raddb/sites-enabled/default file instead of the ‘inner-tunnel’ file.
    Hopefully this is also helpful to others. (Freeradius 2.1.9 is also working!)

    @ jbascom: i have teste to turn on ldap further with 2.1.9, i have seen no segfaults, i think this problem is also solved.

  • Techlord says:

    You sir, are a GOD!! This is AWESOME and worked GREAT for me!!

    Matt

  • brianrbenson says:

    2.1.9 was still segfaulting on my x86_64 SLES10 SP3 box when I tried to use the ldap module in the post-auth section…

    If I have time I’ll open a bug on freeradius.org

  • brianrbenson says:

    I want this to work too. I’m going to try 2.1.9

  • jbascom says:

    @gdoornenbal : the addition to the postauth section is what I was looking for confirmation on… post auth settings are necessary to enable account enabled/disabled checking in edir if I recall

    uncomment “ldap” in the authorize section
    !!! note

  • obrieg says:

    I believe the segfaults are related to x64 version of edirectory, I have read that the 32 bit versions don’t get this issue.

  • brianrbenson says:

    I was lucky enough to work with the developer to get this fixed in version 2.1.10

    The post auth works fine now.

  • tobo says:

    Yes – it does. Just activated with the same Configurations on the SLES11 Sp1,64.

  • mjones363 says:

    I cannot get this to work for me. I know Im doing something wrong can you explain how you replaced the modules? When I try I get “Failed to link module ‘rlm_ldap’ : libfreeradius-radius-2.1.3.so: cannot open shared object file: No such object file or directory”

    Thanks
    Mark

  • jbascom says:

    I get a bunch of dependency issues when I try to build on a fresh install of SLES 11sp1 . 15 or so something-devel dependencies… and yast can’t seem to find them. Is there an iso I forgot to download that has these? Or is there a repo I should point to to resolve them?

    Looking forward to testing post-auth again in 2.1.10 🙂

  • jbascom says:

    Do the group membership checks work with this edirectory setup? any tips on the attributes and filter settings?

  • brianrbenson says:

    I have not tried on sles11. Most likely you need to get your missing dependencies from the sles11 sdk http://download.novell.com/Download?buildid=fQKpDcAhPVY

  • brianrbenson says:

    never tried it.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *