OpenLDAP
LDAP is preferred when dealing with Identity Management and while there are many alternatives to OpenLDAP, it is widely used and performs well.
Install
# Start With a Clean Slate
apt remove --yes --purge slapd ldap-utils
rm -rf /var/backups/slapd*
# For a non-interactive install, supply a root password and domain to debconf before starting ap-get
WORD=somePass
DOMAIN=example.org
echo "slapd slapd/root_password password $PASSWORD" | debconf-set-selections &&\
echo "slapd slapd/root_password_again password $PASSWORD" | debconf-set-selections && \
echo "slapd slapd/domain string $DOMAIN" | debconf-set-selections && \
echo "slapd shared/organization string $DOMAIN" | debconf-set-selections && \
DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils
Configure
Create Sample LDAP Data
Create a text file that describes how we want to organize people, and a user ‘Bob. Notice that we add use the output of smbencrypt hello to the userPassword field, but prepend it with ‘{nthash}’. That’s a standard flag so FreeRADIUS and LDAP know it’s already hashed. It also prevents users from (easily) logging into OpenLDAP as it can’t use that hash itself.
vi people.ldif
dn: ou=people,dc=example,dc=org
objectClass: organizationalUnit
ou: people
vi bob.ldif
dn: cn=bob,ou=people,dc=example,dc=org
objectClass: person
cn: bob
sn: roberts
description: staff
userPassword: {nthash}066DDFD4EF0E9CD7C256FE77191EF43C
Now we’ll add the people organizational unit and the user bob.
ldapadd -x -W -D cn=admin,dc=example,dc=org -f people.ldif
ldapadd -x -W -D cn=admin,dc=example,dc=org -f bob.ldif
ldapsearch -x -LLL -b dc=example,dc=org
When you view your additions the userPassword field may be different than expected. That’s because it’s base64 encoded. You can decode it with echo (contents) | base64 --decode if you need to check.
Note: If you get the LDAP error ldap_bind: Invalid credentials (49) refer below to reset the root password.
Configure FreeRADIUS to search LDAP
We added the FreeRADIUS LDAP extension when we installed FreeRADIUS so all we need to do is make a couple edits.
vim /etc/freeradius/3.0/mods-available/ldap
# At the top, add the admin account credentials from LDAP and org with your own details
identity = 'cn=admin,dc=example,dc=org'
password = somePass
base_dn = 'ou=people,dc=example,dc=org'
# Further down in the 'update' section, comment out the control, request and reply attributes, and add your own reply that returns the LDAP
# attribute 'description' as the RADIUS attribute 'User-Category'
#control: += 'radiusControlAttribute'
#request: += 'radiusRequestAttribute'
#reply: += 'radiusReplyAttribute'
reply:User-Category := 'description'
# In the 'user' section change the filter from `cn=` to `uid=` if it's not already
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
Enable LDAP and Test
# Enable to mod similar to before
ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap
# Restart in debug and test the login
/etc/init.d/freeradius debug
radtest -t mschap bob hello localhost 0 testing123
Once again, you should see the Received Access-Accept message.
Next Steps
At this point, you have a working FreeRADIUS with an OpenLDAP back-end. All you need to do is import your users and you’re ready for production…well, you should secure it first.
Encrypt FreeRADIUS and OpenLDAP With Let’s Encrypt
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.