Tips: http://blog.clemanet.com/freeradius-et-openldap/
Installation freeradius et openldap# apt-get install freeradius freeradius-ldap slapd ldap-utilsAjout du schema radius dans le ldap
# cp /usr/share/doc/freeradius/examples/openldap.schema /etc/ldap/schema/radius.schema # echo "include /etc/ldap/schema/radius.schema" > /tmp/schema-convert # mkdir /tmp/ldap_schema && slaptest -f /tmp/schema-convert -F /tmp/ldap_schema
Ouvrir le fichier /tmp/ldap_schema/cn=config/cn=schema/cn={0}radius.ldif
et remplacer:
dn: cn={0}radius objectClass: olcSchemaConfig cn: {0}radius
dn: cn=radius,cn=schema,cn=config objectClass: olcSchemaConfig cn: radius
Puis supprimer les lignes suivantes à la fin du fichier:
structuralObjectClass: olcSchemaConfig entryUUID: d3f8dbfa-297a-1031-9222-176c711ae4e0 creatorsName: cn=config createTimestamp: 20120503144845Z entryCSN: 20120503144845.283270Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20120503144845Z
# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ldap_schema/cn\=config/cn\=schema/cn\=\{0\}radius.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=radius,cn=schema,cn=config"Configuration du module ldap
Editer /etc/freeradius/modules/ldap
server = "127.0.0.1"
identity = "cn=admin,dc=entrouvert,dc=org"
password = motdepassecomplique
basedn = "dc=entrouvert,dc=org"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
dictionary_mapping = ${confdir}/ldap.attrmap
Activation de ldap pour l’authentification
Dans le fichier /etc/freeradius/sites-available/default:
Section authorize {
...
ldap
...
}
puis
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
Arrêter le serveur:
# service freeradius stop
Lancer le serveur en mode debug:
# freeradius -X
Vérifier si le serveur répond bien:
radtest <user> <passwd> 127.0.0.1 1 testing123
par exemple:
# radtest 99c543e03c1649de87de47044c86cce3 fef3db94593e4944a8b2cf103b890ea8 127.0.0.1 1 testing123 Sending Access-Request of id 98 to 127.0.0.1 port 1812 User-Name = "99c543e03c1649de87de47044c86cce3" User-Password = "fef3db94593e4944a8b2cf103b890ea8" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=98, length=20