LDAP Authentication using FreeRADIUS
Solutions for RADIUS server
Published in
2 min readOct 7, 2022
Overview
RADIUS request will be created and sent to the FreeRADIUS server. Then the RADIUS server will query the LDAP (Lightweight Directory Access Protocol) server if this user is existed and has the right credentials.
Step By Step
1. Add freeradius ldap package in freeradius-srv
# stop service if freeradius runningsystemctl stop freeradiussudo apt install freeradius-ldap
2. Install and setup ldap in freeradius-client
# update and install packagesudo apt updatesudo apt -y install slapd ldap-utils# configure ldapdpkg-reconfigure slapd# verifyslapcat
3. Add basedn user ldap in freeradius-client
- Edit file basedn.ldif to create basedn
vi basedn.ldif...dn: ou=people,dc=boer,dc=idobjectClass: organizationalUnitou: peopledn: ou=groups,dc=boer,dc=idobjectClass: organizationalUnitou: groups...ldapadd -x -D cn=admin,dc=boer,dc=id -W -f basedn.ldif
- Edit file to create user
vi user-alex.ldif...dn: uid=alex,ou=People,dc=boer,dc=idobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: shadowAccountuid: alexsn: xelagivenName: alexcn: Alex XeladisplayName: Alex XelauidNumber: 10002gidNumber: 5000userPassword: {SSHA}PD1jhbdN4QYt+/F10sy0i6AC/CI9mfIwgecos: Alex XelaloginShell: /bin/bashhomeDirectory: /home/alex...ldapadd -x -D cn=admin,dc=boer,dc=id -W -f user-alex.ldif
- Verify
# Verifyslapcat
4. Add ldap config my_server on freeradius-srv
vi /etc/freeradius/3.0/sites-enabled/my_server
...
server my_server {
listen {
type = auth
ipaddr = *
port = 1812
}
authorize {
ldap
if (ok || updated) {
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
}
...5. Add ldap module and edit config ldap module on freeradius-srv
cp /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/vi /etc/freeradius/3.0/mods-enabled/ldap...ldap {server = '172.100.1.211'identity = 'cn=admin,dc=boer,dc=id'password = p@ssw0rdbase_dn = 'dc=boer,dc=id'...
6. Make sure ldap server already added on client configuration
cat /etc/freeradius/3.0/clients.conf
client freeradius-client {
ipaddr = 172.100.1.211
secret = StrongSecret
}Testing
- FreeRADIUS server
freeradius -X
- FreeRADIUS Client
radtest {user-ldap} {password-user-ldap} (IP-Server ldap} 1812 {shared-secret}radtest alex alexpassword 172.100.1.210 1812 StrongSecret
If connection successfuly
