FreeRADIUS 3 and ldap

Alan DeKok aland at deployingradius.com
Mon Nov 26 23:00:05 CET 2018 

On Nov 26, 2018, at 2:38 PM, Victor Cenac <victor at fuller.edu> wrote:
> 
> The info graciously provided by Alan seem to not match my version... or I
> need more hand holding. My installation is on ubuntu server 18.04 and I
> installed freeradius with apt-get. So I have version 3.0.16+dfsg-1ubuntu3.
> Following some other instructions I also installed freeradius-ldap.
> My installation is here:
> /etc/freeradius/3.0
> so no radb folder, but that's not a big deal, as I assume on other OS the
> install is in /etc/radb/

 The default is /etc/raddb.  Different operating systems change our packaging, and put the files into different places.

  I don't know which version you have, so I just use *our* defaults, and hope that people can figure it out.

> In my version the ldap module is enabled according to these instructions in
> mods-available/README.rst:

 Please don't post documentation to the list.  We already know it.

> Which I did. According to this explanation, that's all I had to do to make
> the FreeRADIUS use the ldap.

 You also need to configure the LDAP module itself.  i.e. point to the correct LDAP server, admin account, etc.

> Now, to do the matching between the ldap attributes (group membership) and
> the vlan communicated by the radius server to the switch... I found this in
> the ldap file (in mods-available):

 Again, there's no need to post this to the list.  We're is already familiar with that file.

> Is this the right place? Which lines do I repeat for multiple group-->vlan
> translation?
> For example:
> ldap group Staff = vlan 1
> ldap group Student = vlan 2

 No.  What you do is READ MY PREVIOUS MESSAGE.  If you're not sure what it means, ASK.

 What I said was to do this:

      if (LDAP-Group == "staff") {
              update reply {
                      Tunnel Type = VLAN
                      Tunnel-Medium-Type := IEEE-802
                      Tunnel-Private-Group-Id := 10
              }
      }

 This configuration goes into a virtual server, along with all of the other "if" and "update" blocks.  As per the "man unlang" documentation, and as per the dozens of other examples.

 Alan DeKok.

More information about the Freeradius-Users mailing list