LDAP and FreeRadius they both are know as beasts when it comes to setting them up and configuring them properly. But once you got them they are piece of cake going forward.
I am using both of them since Ubuntu 8.04, but in Ubuntu 10.04 thing has been changed in every aspects, newer versions, different configs etc are some of those changes.
But I got both of them with 10.04 very long time ago but my setup back then were with samba, but this time I have configured them without samba so it just LDAP and FreeRadius. I thought maybe my pain will be gain for someone
Enough talking, lets get to work.
I am assuming that you already have Ubuntu 10.04 [server/desktop] with ssh [not required tho] up and running
I am also assuming that you have setup the static IP for your machine, not required though but good idea
The domain name/tree name we will be using in this examples is
Quote:
dc=myldap,dc=ent
The basic group which will hold our user accounts is
Quote:
cn=Domain Users,ou=Groups,dc=myldap,dc=ent
The users will be in Users OU
Quote:
ou=Users,dc=myldap,dc=ent
Feel free to change any of the above according to you setup So lets start
Be root instead of typing password everytime you use sudo
Quote:
sudo bash
Check update and install if needed
Quote:
apt-get update && apt-get upgrade
Install slapd and its utils
Quote:
sudo apt-get install slapd ldap-utils -y
Add basic schemas in ldap database
Quote:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
Setup core
Quote:
nano /tmp/mysetup.ldif
And paste the following in it, feel free to change the tree name
Quote:
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=myldap,dc=ent
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=myldap,dc=ent
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn=”cn=admin,dc=myldap,dc=ent” write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base=”” by * read
olcAccess: to * by dn=”cn=admin,dc=myldap,dc=ent” write by * read
Add the above ldif file
Quote:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/mysetup.ldif
Setup ldap for authentication
Quote:
sudo apt-get –yes install ldap-auth-client
You will be asked few question, answer them very carefully and after reading.
LDAP server in this case is local host so it would ldap://127.0.0.1/
DN would be dc=myldap,dc=ent
Accept Version 3 as default
Answer Yes to next question
Answer No to next question
Ldap root account would be cn=admin,dc=myldap,dc=ent
And ldap root[admin in this case] password would be mypassword
Check setup
Quote:
sudo auth-client-config -t nss -p lac_ldap
There should not be any error at this point, if there is then something is not right
Update pam for ldap authentication
Quote:
sudo pam-auth-update ldap
Make sure ldap is selected at least
Edit ldap.conf to adjust authentication option
Quote:
nano /etc/ldap.conf
Uncomment line 24
Uncomment line 72 and replace hard with soft
Save the file and exit out of it
Copy this file to /etc/ldap/ directory
Quote:
cp /etc/ldap/ldap.conf /etc/ldap/ldap.old
cp /etc/ldap.conf /etc/ldap/
Make home directory where user profiles will be places
Quote:
mkdir /ldaphome
chmod 777 /ldaphome
Setup basic groups and users
Quote:
nano /tmp/myldap.ldif
And paste the following in it
Quote:
# Create top-level object in domain
dn: dc=myldap,dc=ent
objectClass: top
objectClass: dcObject
objectclass: organization
o: Ldap Enterprise
dc: MYLDAP
description: LDAP Enterprise
# Admin user.
dn: cn=admin,dc=myldap,dc=ent
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: mypassword
dn: ou=Groups,dc=myldap,dc=ent
objectClass: organizationalUnit
ou: Groups
dn: cn=Domain Users,ou=Groups,dc=myldap,dc=ent
objectClass: posixGroup
objectClass: top
cn: Domain Users
gidNumber: 513
description: Domain Users
dn: ou=Users,dc=myldap,dc=ent
objectClass: organizationalUnit
ou: Users
dn: uid=rkhan,ou=Users,dc=myldap,dc=ent
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: rkhan
sn: Khan
cn: Ryaz Khan
uidNumber: 30000
gidNumber: 513
userPassword: test
gecos: Ryaz Khan
loginShell: /bin/bash
homeDirectory: /ldaphome/rkhan
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
title: System Administrator
Now add the above ldif file/basic structure to ldap database
Quote:
sudo ldapadd -x -D cn=admin,dc=myldap,dc=ent -w mypassword -f /tmp/myldap.ldif
This should run without any error, if there is/are, something is not right
At this point you should be able to login to your system with user rkhan
You might get error about the home directory does not exists while doing ssh, you can create it manually or if you are using desktop, login with rkhan and it will create the directory. But this is not a show stopper any shape or form
Now lets move to our next setup [freeradius], lets install and setup this monster
Quote:
apt-get install freeradius freeradius-ldap -y
Copy the openldap schema needed for freeradius to work to ldap schema directory
Quote:
cp /usr/share/doc/freeradius/examples/openldap.schema /etc/ldap/schema/
Convert the above schema you just copied to ldif file so it can be added to ldap database
Quote:
nano /tmp/schema_convert.ldif
And paste the following, delete any existing entries from the file, if there is any
Quote:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
Create ldif file for openldap schema
Quote:
slapcat -f /tmp/schema_convert.ldif -F ~ -n0 -s “cn={7}openldap,cn=schema,cn=config” > /tmp/cn=openldap.ldif
Clean the above ldif file a bit
Quote:
nano /tmp/cn\=openldap.ldif
Remove number and {} from first lines to make it like the following
Quote:
dn: cn=openldap,cn=schema,cn=config
…
cn: openldap
And get rid of following lines, there is no use of these but they will/can cause trouble, they are located at the end of openldap.ldif
Quote:
structuralObjectClass: olcSchemaConfig
entryUUID: c69d2a24-1274-1030-8c56-69db9ca637cf
creatorsName: cn=config
createTimestamp: 20110514125231Z
entryCSN: 20110514125231.473294Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110514125231Z
Now just add the above cleaned ldif file to ldap database
Quote:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=openldap.ldif
Again there should not be any error
To make sure the schemas we have added so far are in place, issue the following
Quote:
sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
You will get list of all schemas
Now ldap server is ready with frad schema, its time to configure it
I would simply restart both monster [ldap and freeradius] just to be safe, not required though
Quote:
service slapd restart
service freeradius restart
Back to configuration
Quote:
nano /etc/freeradius/modules/ldap
You want to make sure that at least followings are in place, rest of the file is good by default for out setup
Quote:
server = “localhost”
identity = “cn=admin,dc=myldap,dc=ent”
password = mypassword
basedn = “ou=Users,dc=myldap,dc=ent”
filter = “(uid=%{%{Stripped-User-Name}:-%{User-Name}})”
base_filter = “(objectclass=radiusprofile)”
access_attr = “dialupAccess”
password_attribute = userPassword
Tell freeradius to use ldap for authentication by edit the following file
Quote:
nano /etc/freeradius/sites-enabled/default
Uncomment ldap, located on line 170, 181, and 182
Also tell freeradius to use ldap within tunnel as well, otherwise it simply would not work and you will damage your head by hitting it against the wall
Quote:
nano /etc/freeradius/sites-enabled/inner-tunnel
Uncomment line 129 (ldap)
We are pretty much done, so restart both monster [ldap and freeradius]
Quote:
service slapd restart
service freeradius restart
Issue the following command to see that ldap mapping is working correctely
Quote:
freeradius -XXX
If something like following is in place, we are good here, everything is working the way it designed
Quote:
Sat May 14 09:12:39 2011 : Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group
Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap
Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class
Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
Debug: rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
One last thing, we have to add radiusprofile objectClass and dialupAceess attribute to user rkhan
You can do it right on console, but I would use ldif file
Quote:
nano /tmp/modify.ldif
And paste the following in it
Quote:
dn: uid=rkhan,ou=Users,dc=myldap,dc=ent
changetype: modify
add: objectClass
objectClass: radiusprofile
dn: uid=rkhan,ou=Users,dc=myldap,dc=ent
changetype: modify
add: dialupAccess
dialupAccess: access_attr
Issue the following command to add above entries in user rkhan records
Quote:
sudo ldapmodify -h localhost -p 389 -D “cn=admin,dc=myldap,dc=ent” -w mypassword -f /tmp/modify.ldif
At this point freeradius is all setup with ldap authentication and only rkhan can use freeradius to authenticate against open-ldap.
Setup/allow client, localhost is allowed by default
Quote:
nano /etc/freeradius/clients.conf
Look through the file and make changes where needed
Configure wireless or wired clients and have fun !
I have tested it with my wireless [eap/peap authentication method] setup and it work like a charm everytime
Enjoy!
You can also access this articles at
my website
I already have wrote php script to add user via a web page, it will take care of all 1zz and 2zz in background.
User/administrator just have to fill the form and hit submit and yea ! our new user is ready to use freeradius and can authenticate against our freshly configured ldap server
Let me know if you are interested in that script
Note:- I have tested this setup using plain text password in ldap database
Feel free to email me if you have any question(s)
__________________
Ryaz Khan
cns.selfip.net
ที่มา: http://ubuntuforums.org/showthread.php?t=1760830
