# cd /etc/raddb/mods-available
# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
# mv ldap ldap.Default
# egrep -v "^\s*(#|$)" ldap.Default > ldap
# vi mods-enabled/ldap
ldap {
server = 'localhost'
base_dn = 'dc=local,dc=domain'
port = 636
start_tls = yes
identity = "uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
#identity = "krbprincipalname=radius/hl251.local.domain@LOCAL.DOMAIN,uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
password = Senha2025
set_auth_type = yes
....
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
....
# vi ldap
ldap {
server = 'localhost'
port = 636
identity = "uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
password = Senha2025
base_dn = 'dc=local,dc=domain'
....
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
....
tls {
# start_tls = yes
....
# systemctl restart radiusd.service
# radtest <UserLDAP> <SenhaLDAP> localhost 1812 testing123
Sent Access-Request Id 17 from 0.0.0.0:48678 to 127.0.0.1:1812 length 78
User-Name = "UserLDAP"
User-Password = "SenhaLDAP"
NAS-IP-Address = 10.1.10.251
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "SenhaLDAP"
Received Access-Reject Id 17 from 127.0.0.1:1812 to 127.0.0.1:48678 length 38
Message-Authenticator = 0xcfb3bc91a8fa54b7536d0c8d33f8d11e
(0) -: Expected Access-Accept got Access-Reject
Nota: Valide se o link simbólico esta criado no diretório mods-enable para o serviço LDAP.
# Assuming that HOSTNAME is enrolled to IPA realm already,
# run the following on HOSTNAME where RADIUS server will be deployed
# In FreeIPA 4.6+ host principal has permissions to create own services
kinit -k
ipa service-add 'radius/HOSTNAME'
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab
# make radius use the keytab for SASL GSSAPI
mkdir -p /etc/systemd/system/radiusd.service.d
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
systemctl daemon-reload
edit /etc/raddb/mods-enabled/ldap
ldap server = 'LDAP HOSTNAME'
ldap base_dn = 'cn=accounts,dc=example,dc=org'
ldpa sasl mech = 'GSSAPI'
ldpa sasl realm = 'YOUR REALM'
ldap sasl update control:NT-Password := 'ipaNTHash'
# How to request certificates from IPA server for RADIUS
mv /etc/raddb/certs /etc/raddb/certs.bak
mkdir /etc/raddb/certs
openssl dhparam 2048 -out /etc/raddb/certs/dh
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
if NT hashes will not work against FreeIPA, what should I use in place of:
ldap sasl update control:NT-Password := 'ipaNTHash'
in the /etc/raddb/mods-enabled/ldap file?
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>