Environment
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 9
FreeRADIUS
Situation
This document is intended to use multiple LDAP sources for
authentication via eDirectory (for example, fail over, or separate
trees).
Resolution
- Open the /etc/raddb/radiusd.conf file.
- Copy the ENTIRE ldap { } configuration section (not just the contents).
- For each ldap {} section, place a name between the ldap and the opening curly brace (such as the server name).
- Adjust the server, identity, password, and all other attributes that are specific to each ldap source.
- Locate the "authorize" section by searching for "authorize {".
- Comment out the "ldap" option, and place the ldap names chosen in step 3 above on separate lines.
- Locate the "authenticate" section by searching for"authenticate {". There will be a subsection for "Auth-Type LDAP {".
- In the LDAP subsection, comment out "ldap", and place new entries for each source that was set up in step 3.
- Restart FreeRADIUS and test it.
Additional Information
Example Sections from the /etc/raddb/radiusd.conf file :
These sections are extracted from the full radiusd.conf file. They are only excerpts and do not comprise the entire file. For each section, the unmodified section will be listed first, followed by the resulting modifications.
The ldap {} section (unmodified) :
ldap {
server = "jlewis1.provo.novell.com"
identity = "cn=admin,o=novell"
password = novell
basedn = "o=novell"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
port = 636
tls_mode = yes
profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# for EAP/802.1x
password_attribute = nspmPassword
edir_account_policy_check=yes
timeout = 8
timelimit = 3
net_timeout = 1
# so I don't have to enable the users to allow access
access_attr_used_for_allow = no
}The ldap {} section (modified) :
ldap jlewis1 {
server = "jlewis1.provo.novell.com"
identity = "cn=admin,o=novell"
password = novell
basedn = "o=novell"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
port = 636
tls_mode = yes
profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# for EAP/802.1x
password_attribute = nspmPassword
edir_account_policy_check=yes
timeout = 8
timelimit = 3
net_timeout = 1
# so I don't have to enable the users to allow access
access_attr_used_for_allow = no
}
ldap jlewis7 {
server = "jlewis7.provo.novell.com"
identity = "cn=admin,o=novell"
password = novell
basedn = "o=novell"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
port = 636
tls_mode = yes
profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# for EAP/802.1x
password_attribute = nspmPassword
edir_account_policy_check=yes
timeout = 8
timelimit = 3
net_timeout = 1
# so I don't have to enable the users to allow access
access_attr_used_for_allow = no
}The authorize {} section (unmodified) :authorize {
preprocess
# standard RADIUS protocols
chap
mschap
suffix
# for 802.1x configuration
eap
# check the /etc/raddb/users files for configuration
files
ldap
}The authorize {} section (modified) :authorize {
preprocess
# standard RADIUS protocols
chap
mschap
suffix
# for 802.1x configuration
eap
# check the /etc/raddb/users files for configuration
files
jlewis1
jlewis7
}The authenticate {} section (unmodified) :authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}The authenticate {} section (modified) :authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
jlewis1
jlewis7
}
eap
}These sections are only excerpts from the /etc/raddb/radiusd.conf
file.