guide on configuring freeradius 3 LDAP

Alan DeKok aland at deployingradius.com
Thu Jan 18 20:29:30 CET 2018 

On Jan 18, 2018, at 1:18 PM, Douglas C Ward <douglas at ugutech.com> wrote:
> I just joined the list recently, in hopes to get some help in configuring LDAP on my FreeRADIUS server. I have found a lot of documentation for FreeRADIUS v2, dating from 2011 and 2014, etc. But no clear step-by-step to enable LDAP for v3. My server is version 3.0.15. I have worked through the initial setup on the http://wiki.freeradius.org/guide/Getting-Started <http://wiki.freeradius.org/guide/Getting-Started> and was able to connect with “Access-Accept”. But now I want to connect an LDAP server (specifically, a VLDAP server from OneLogin). I have all their docs, and have all the base DN and Bind DN info. But the documentation at http://wiki.freeradius.org/modules/Rlm_ldap <http://wiki.freeradius.org/modules/Rlm_ldap> seem to “start in the middle” for me. It says you "can"…
> 
> "To enable LDAP in your FreeRADIUS server, you can:
> 
> • instantiate an ldap module - which sets up the server name, the base DN, etc
> • authenticate using an ldap module instance - which makes the FreeRADIUS server verify the user's identity in the LDAP directory, usually involving some form of checking the validity of the password
> • authorize using an ldap module instance - which makes the FreeRADIUS server verify the user's level of authorization in the LDAP directory, usually involving verifying group membership or similar"
> 
> … but I don’t have enough experience to evaluate those options, or know how to do any of them. So I am looking for a simple  “how to enable LDAP on FreeRADIUS 3” that I can follow to get things working, and learn from there. Thank you.

  Edit raddb/mods-available/ldap.  Configure it.

  i.e. *read* the comments.  They tell you what the options do, and how they work.  Fill in the configuration as necessary.

  Start the server in debug mode.  Send it a test packet using "radtest".  Use a name/password that's in LDAP.

  If it gets Access-Accept, you're good!

  If not, *read* the debug output to see what it's doing.  If you don't understand it, post it here.

  It really is that simple.  The "radtest" example *should* work if the LDAP module (a) talks to the LDAP server, and (b) is configured to search the right part of the LDAP tree.

  The default configuration is designed to work with minimal edits.  So do minimal edits, and it will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list