Integrating FreeRADIUS authentication and eDirectory

  • 3557425
  • 29-Jun-2007
  • 03-Jul-2012


freeRadius 1.0.2
All version of eDirectory / DS


Integrating FreeRADIUS and eDirectory


Set up eDirectory to allow authentication requests from FreeRADIUS. This is done by extending the schema, or by doing the following (but not both) :
  1. Locate the "LDAP Group" object for the server that will authenticate the users.
  2. View the properties.
  3. Click on the "Attribute Mappings" tab.
  4. Click the "Add" button.
  5. Add an "NDS Attribute" of "RADIUS:Enable Dial Access".
  6. In the "Primary LDAP Attribute" box, enter "dialupAccess".
  7. Click the "OK" button.
  8. Refresh NLDAP by unloading and reloading NLDAP at the servers console.

Note : If FreeRADIUS will be using an anonymous bind (no identity specified in FreeRADIUS configuration file), the public pseudo user must be given rights to the "RADIUS:Enable Dial Access" attribute. If this attribute is not returned to FreeRADIUS because the public user does not have rights, no user will authenticate. RADIUS:Profile objects in eDirectory will have an objectClass attribute of "radiusprofile", and that can easily get in the way of some profile attributes on user accounts. You can change what information is returned on the "LDAP Group" object's "Attribute Mappings" tab.

Set up FreeRADIUS to send authentication requests to eDirectory :

  1. Copy the /etc/raddb/radiusd.conf to another location so that a backup is present.
  2. Open the /etc/raddb/radiusd.conf file.
  3. Locate the modules section by searching for the line "modules {".
  4. In that section, locate the ldap section (search for ldap).
  5. Change the "server" setting to point to the eDirectory LDAP server that was previously configured.
  6. If anonymous binds are not allowed, change the "identity" and"password" settings for an appropriate eDirectory account (one with rights to "dialupAccess" or "RADIUS:Enable Dial Access"), and remove the pound sign in front of them.
  7. Change the "basedn" setting to point to the top organization in the tree (e.g. "o=novell").
  8. If TLS/SSL is a requirement on the server, add a "port = 636" line to the ldap section, and a "tls_mode = yes". These two configuration directives are not listed by default, but allow you to force SSL on the LDAP connection from the start.
  9. "default_profile" and "profile_attributes" are optional settings for obtaining profile information from the LDAP server.
  10. Locate the authorize section start by searching for the line"authorize {".
  11. In that section, un-comment the line for "ldap".
  12. Locate the authenticate section start by searching for the line"authenticate {".
  13. That section also has a "unix" option. Comment this out.
  14. A few lines below that, it will have three lines for an"Auth-Type LDAP" subsection - un-comment those lines.
  15. Save and close the file.
  16. Open the /etc/raddb/users file.
  17. Locate the line setting for "DEFAULT Auth-Type = System".
  18. Change the setting from "System" to "LDAP".
  19. Comment out the "Fall-Through = 1" line immediately below that.
  20. Restart FreeRADIUS (SUSE Linux uses the command"/etc/init.d/radiusd restart")

Note : Some LDAP settings might require other adjustments :

  • If TLS is required when using LDAP, set the "start_tls" option to "yes".
  • If anonymous binds are restricted, set the "identity" and"password" settings in the radiusd.conf file to an appropriate user that has rights to the "RADIUS:Enable Dial Access" attribute.

It is suggested that a sample configuration check is made by running radtest, e.g. for user "joe" and password "average" :

radtest joe average localhost 0 testing123

This will demonstrate whether FreeRADIUS is operational, or if debugging needs to occur.

Additional Information

If responses are not what is expected, see the TID for Debugging FreeRADIUS .

Formerly known as TID# 10098726