SUSE Conversations


freeRADIUS 2.1.8 on SLES 10 with eDirectory Integration



By: brianrbenson

April 22, 2010 4:51 pm

Reads:1556

Comments:21

Rating:0


INSTALLATION

  • download the bzip tarball from freeradius.org to /usr/src/packages/SOURCE/
  • unpack the freeradius.spec file from the tarball to /usr/src/packages/SPECS/
  • run “rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec” and use yast to satisfy any dependencies.

Packages can be found in /usr/src/packages/RPMS/

rpm -ivh freeradius-server-libs-2.1.8-0.x86_64.rpm
rpm -ivh freeradius-server-2.1.8-0.x86_64.rpm

again, use yast to satisfy any dependencies.

CONFIGURE

change perms in /etc/raddb/certs so that the radiusd group has enough access for `radiusd -X` to start

In short, all you really need to do is:

  • configure the ldap module
    !!! note: you need to bind with a user that is authorized for password retrieval in your universal password policy
    !!! export your trees CA self signed cert to /etc/raddb/certs/rootder.b64
  • uncomment “ldap” in the authorize section of /etc/raddb/sites-enabled/inner-tunnel
    !!! note that any ldap stuff in the post auth section was causing segfaults in 2.1.8 during authentication.
  • change default_eap_type from md5 to peap in eap.conf
  • setup a client in clients.conf
/etc/raddb/modules/ldap
---------------------------------
ldap {
       
        server = "servername"
        identity = "cn=admin,o=org"
        password = thepassword
        basedn = "o=org"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        port = 636
        tls_mode = yes
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
        tls {
                 start_tls = no
                 #get this file from exporting the edir CA self signed cert
                 cacertfile     = /etc/raddb/certs/rootder.b64
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        password_attribute = nspmPassword
        edir_account_policy_check = yes
        # I allow everyone in my eDir to connect so I don't use the imanager / dial-in access stuff. 
        #This needs to be a “yes” if you do 
        access_attr_used_for_allow = no
 
        set_auth_type = no
}
/etc/raddb/eap.conf
---------------------------
eap {
default_eap_type = peap
...      # the rest of this file can stay as default
} 
/etc/raddb/sites-enabled/inner-tunnel
--------------------------------------------------
uncomment "ldap" in the authorize section
 !!! note, any ldap config in the post-auth section is causing segfaults in version 2.1.8
 !!!Once this bug is fixed you will want to uncomment ldap in the post-auth section too
/etc/raddb/clients.conf
------------------------------
client 192.168.0.0/24 {
        secret = somesecretpasswd
        shortname = Wireless_AP
}

Now you should be able to turn on the freeradius with `radiusd -X` and watch some debug messages.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Tags: ,
Categories: SUSE Linux Enterprise Point of Service, SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

21 Comments

  1. By:elagrew

    We just recently installed Radiusd on 2 of our OES2/SLES boxes to work with wireless. We struggled with the lack of documentation and the incredible lack of help from Novell on this topic. Glad someone too the time to document something Novell should already have had documented. Thanks!

    –El

  2. By:brunold

    In case you do not want to compile the freeradius packages on your own, the openSuSE build server has them precompiled for SLES 10:

    http://software.opensuse.org/search

    Simply select SLES 10 and enter freeradius and then scroll down to the 2.1.8 packages.

    Rainer

  3. By:rogcar

    Thanx.
    The ldap stuff in the post auth section was causing segfaults in 2.1.8 during authentication. Has been my problem..
    Thank you !

  4. By:rogcar

    I hope this work with sles 11 !!

  5. By:klin8251

    I found that a work around for the segmentation faults was to revert to an older version of the rlm_ldap libraries found in /usr/lib/freeradius/.

    I had previously installed freeradius version 2.1.3, so I just replaced the lib files from version 2.1.8 with those from version 2.1.3 (I found them in /usr/src/packages/BUILD/freeradius-server-2.1.3/src/modules/rlm_ldap/.libs/).

    Files I replaced:
    rlm_ldap-2.1.8 replaced with: rlm_ldap-2.1.3.so
    rlm_ldap.a replaced with: rlm_ldap.a (from 2.1.3)
    rlm_ldap.so -> rlm_ldap-2.1.3.so replaced with: rlm_ldap.so –> rlm_ldap-2.1.8

    If you have a more recent version of freeradius (like 2.1.7), I think that the libs from this version would work too…this was just what I had easy access to.

    Let me know if you need these files.

  6. By:brianrbenson

    Interesting work around. One of us should prob submit a bug on this, as the freeradius.org bugs page didn’t have this registered last time I looked.

  7. By:jbascom

    Has anyone tested 2.1.9 to see if segmentation fault is fixed?

  8. By:gdoornenbal

    Hi there.

    I tried to make freeradius 2.1.X working, 2.1.9 first, later 2.1.8, but i couldn’t get LDAP authentication working. It wasn’t starting anything with ldap! At the end i figured out that i had to configure the /etc/raddb/sites-enabled/default file instead of the ‘inner-tunnel’ file.
    Hopefully this is also helpful to others. (Freeradius 2.1.9 is also working!)

    @ jbascom: i have teste to turn on ldap further with 2.1.9, i have seen no segfaults, i think this problem is also solved.

  9. By:Techlord

    You sir, are a GOD!! This is AWESOME and worked GREAT for me!!

    Matt

  10. By:brianrbenson

    2.1.9 was still segfaulting on my x86_64 SLES10 SP3 box when I tried to use the ldap module in the post-auth section…

    If I have time I’ll open a bug on freeradius.org

  11. By:brianrbenson

    I want this to work too. I’m going to try 2.1.9

  12. By:jbascom

    @gdoornenbal : the addition to the postauth section is what I was looking for confirmation on… post auth settings are necessary to enable account enabled/disabled checking in edir if I recall

    uncomment “ldap” in the authorize section
    !!! note

  13. By:obrieg

    I believe the segfaults are related to x64 version of edirectory, I have read that the 32 bit versions don’t get this issue.

  14. By:brianrbenson

    I was lucky enough to work with the developer to get this fixed in version 2.1.10

    The post auth works fine now.

  15. By:tobo

    Yes – it does. Just activated with the same Configurations on the SLES11 Sp1,64.

  16. By:mjones363

    I cannot get this to work for me. I know Im doing something wrong can you explain how you replaced the modules? When I try I get “Failed to link module ‘rlm_ldap’ : libfreeradius-radius-2.1.3.so: cannot open shared object file: No such object file or directory”

    Thanks
    Mark

  17. By:jbascom

    I get a bunch of dependency issues when I try to build on a fresh install of SLES 11sp1 . 15 or so something-devel dependencies… and yast can’t seem to find them. Is there an iso I forgot to download that has these? Or is there a repo I should point to to resolve them?

    Looking forward to testing post-auth again in 2.1.10 :)

  18. By:jbascom

    Do the group membership checks work with this edirectory setup? any tips on the attributes and filter settings?

  19. By:brianrbenson

    I have not tried on sles11. Most likely you need to get your missing dependencies from the sles11 sdk http://download.novell.com/Download?buildid=fQKpDcAhPVY

  20. By:brianrbenson

    never tried it.

Comment

RSS