Integrating FreeRADIUS and eDirectory

  • 3003857
  • 30-Jul-2007
  • 27-Apr-2012

Environment


Novell eDirectory 8.7 for All Platforms
Novell eDirectory 8.8 for All Platforms
Novell SUSE Linux Enterprise Server 8
Novell SUSE Linux Enterprise Server 9
Novell SUSE Linux Enterprise Server 10
FreeRADIUS

Situation

Implement FreeRADIUS into the Novell network by authenticating against eDirectory for Virtual Private Networks (VPN's), Remote Access Servers (RAS's), and other services that can speak the RADIUS protocols.

Resolution

Install FreeRADIUS by installing the freeradius-1.x.x RPM file (available in YaST by searching for freeradius).

If using the NMAS Radius snap-ins in ConsoleOne to enable users for authentication, set up eDirectory to allow authentication requests from FreeRADIUS using the following process :
  1. Locate the "LDAP Group" object for the server that will authenticate the users.
  2. View the properties.
  3. Click on the "Attribute Mappings" tab.
  4. Click the "Add" button.
  5. Add an "NDS Attribute" of "RADIUS:Enable Dial Access".
  6. In the "Primary LDAP Attribute" box, enter "dialupAccess".
  7. Click the "OK" button.
  8. Refresh NLDAP by unloading and reloading NLDAP at the servers console.
If NOT using the NMAS Radius snap-ins, users can be globally enabled by the following process :
  1. Open the /etc/raddb/radiusd.conf file.
  2. Locate the line identifying the access_attr_used_for_allow attribute.
  3. Uncomment this, and set it to "no".
Please note that the above attribute inverts the test for the existence of the access_attr (defaults to "dialupAccess"), meaning that users that have that attribute returned in LDAP will fail. This gives the ability to enable users collectively but disable specific users. The access_attr does not work on containers - it must be set directly on the user in FreeRADIUS.

Set up FreeRADIUS to send authentication requests to eDirectory :
  1. Copy the /etc/raddb/radiusd.conf to another location so that a backup is present.
  2. Open the /etc/raddb/radiusd.conf file.
  3. Locate the modules section by searching for the line "modules {".
  4. In that section, locate the ldap section (search for ldap).
  5. Change the "server" setting to point to the eDirectory LDAP server that was previously configured.
  6. If anonymous binds are not allowed, change the "identity" and"password" settings for an appropriate eDirectory account (one with rights to "dialupAccess" or "RADIUS:Enable Dial Access"), and remove the pound sign in front of them. What should be here is explained in further detail in the additional notes section of this document.
  7. Change the "basedn" setting to point to the top organization in the tree (e.g. "o=novell").
  8. If TLS/SSL is a requirement on the server, add a "port = 636" line to the ldap section, and a "tls_mode = yes". These two configuration directives are not listed by default, but allow you to force SSL on the LDAP connection from the start.
  9. "default_profile" and "profile_attributes" are optional settings for obtaining profile information from the LDAP server.
  10. Locate the authorize section start by searching for the line"authorize {".
  11. In that section, uncomment the line for "ldap".
  12. Locate the authenticate section start by searching for the line"authenticate {".
  13. That section also has a "unix" option. Comment this out.
  14. A few lines below that, it will have three lines for an"Auth-Type LDAP" subsection - uncomment those lines.
  15. Save and close the file.
  16. Open the /etc/raddb/users file.
  17. Locate the line setting for "DEFAULT Auth-Type = System".
  18. Change the setting from "System" to "LDAP".
  19. Comment out the "Fall-Through = 1" line immediately below that.
  20. Restart FreeRADIUS (SUSE Linux uses the command"/etc/init.d/radiusd restart")
It is suggested that a sample configuration check is made by running radtest, e.g. for user "joe" and password "average" :
radtest joe average localhost 0 testing123
This will demonstrate whether FreeRADIUS is operational, or if debugging needs to occur.

Additional Information

Some LDAP settings that might require other adjustments :
  • If TLS is required when using LDAP, set the tls_mode to "yes", and add a "port = 636" to the ldap configuration section
  • If anonymous binds are restricted, create a proxy user that has rights to search the tree.
  • If using Universal Password and any encrypted authentication protocols, set the "identity" and "password" settings to an administrative user name and password in the ldap configuration section.
  • Which ever user is specified in the "identity" option should have access to the "RADIUS:Enable Dial Access" attribute - (if not specified, the pseudo user "[Public]" will need rights)
If FreeRADIUS fails at this point, please consult the Technical Information Document 10100993 for debugging techniques.