FreeRADIUS and multiple LDAP authentication sources

  • 3807164
  • 24-Jul-2006
  • 30-Apr-2012

Environment


Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 9
FreeRADIUS

Situation

This document is intended to use multiple LDAP sources for authentication via eDirectory (for example, fail over, or separate trees).

Resolution

  1. Open the /etc/raddb/radiusd.conf file.
  2. Copy the ENTIRE ldap { } configuration section (not just the contents).
  3. For each ldap {} section, place a name between the ldap and the opening curly brace (such as the server name).
  4. Adjust the server, identity, password, and all other attributes that are specific to each ldap source.
  5. Locate the "authorize" section by searching for "authorize {".
  6. Comment out the "ldap" option, and place the ldap names chosen in step 3 above on separate lines.
  7. Locate the "authenticate" section by searching for"authenticate {". There will be a subsection for "Auth-Type LDAP {".
  8. In the LDAP subsection, comment out "ldap", and place new entries for each source that was set up in step 3.
  9. Restart FreeRADIUS and test it.

Additional Information

Example Sections from the /etc/raddb/radiusd.conf file :


These sections are extracted from the full radiusd.conf file. They are only excerpts and do not comprise the entire file. For each section, the unmodified section will be listed first, followed by the resulting modifications.

The ldap {} section (unmodified) :

ldap {
server = "jlewis1.provo.novell.com"
identity = "cn=admin,o=novell"
password = novell
basedn = "o=novell"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"

port = 636
tls_mode = yes

profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"

dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

# for EAP/802.1x
password_attribute = nspmPassword
edir_account_policy_check=yes

timeout = 8
timelimit = 3
net_timeout = 1

# so I don't have to enable the users to allow access
access_attr_used_for_allow = no
}

The ldap {} section (modified) :

ldap jlewis1 {
server = "jlewis1.provo.novell.com"
identity = "cn=admin,o=novell"
password = novell
basedn = "o=novell"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"

port = 636
tls_mode = yes

profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"

dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

# for EAP/802.1x
password_attribute = nspmPassword
edir_account_policy_check=yes

timeout = 8
timelimit = 3
net_timeout = 1

# so I don't have to enable the users to allow access
access_attr_used_for_allow = no
}

ldap jlewis7 {
server = "jlewis7.provo.novell.com"
identity = "cn=admin,o=novell"
password = novell
basedn = "o=novell"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"

port = 636
tls_mode = yes

profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"

dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

# for EAP/802.1x
password_attribute = nspmPassword
edir_account_policy_check=yes

timeout = 8
timelimit = 3
net_timeout = 1

# so I don't have to enable the users to allow access
access_attr_used_for_allow = no
}
The authorize {} section (unmodified) :
authorize {
preprocess

# standard RADIUS protocols
chap
mschap

suffix

# for 802.1x configuration
eap

# check the /etc/raddb/users files for configuration
files

ldap
}
The authorize {} section (modified) :
authorize {
preprocess

# standard RADIUS protocols
chap
mschap

suffix

# for 802.1x configuration
eap

# check the /etc/raddb/users files for configuration
files

jlewis1
jlewis7
}
The authenticate {} section (unmodified) :
authenticate {
Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}

Auth-Type LDAP {
ldap
}

eap
}
The authenticate {} section (modified) :
authenticate {
Auth-Type PAP {
pap
}

Auth-Type CHAP {
chap
}

Auth-Type MS-CHAP {
mschap
}

Auth-Type LDAP {
jlewis1
jlewis7
}

eap
}
These sections are only excerpts from the /etc/raddb/radiusd.conf file.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.