Question about FreeRADIUS and LDAP

Alan DeKok aland at deployingradius.com
Fri Oct 2 20:59:08 CEST 2020


On Oct 2, 2020, at 12:54 PM, rainer at ultra-secure.de wrote:
> I think I've managed to get authentication against a CentOS 8 389-server working.

  That's good.

> https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/
> 
> 
> Now, traditionally, our users and the configuration are just in a text-file "users" with the password in clear-text.
> 
> 
> If I move the users (and only the users) into 389-server, how would the text-file look like?

  It depends on what you want to do...

  What do you mean "move the users" into 389?  *What* information are you moving over?

  As background, FreeRADIUS doesn't really have "users" as such.  It has things configured in databases.  The "users" file is one such database.

> 
> Currently, an entry is like that?
> 
> bla at blue  Cleartext-Password := "test"
>        Service-Type = Framed-User,
>        Framed-Protocol = PPP,
>        Framed-Address = 192.168.1.5,
>        Framed-Netmask = 255.255.255.0,
>        Framed-Routing = None,
>        Cisco-AVPair = "vpdn:tunnel-id=VRF1",
>        Cisco-AVPair = "vpdn:tunnel-type=l2tp",
>        Cisco-AVPair = "vpdn:ip-addresses=a.b.c.d",
>        Cisco-AVPair = "vpdn:l2tp-tunnel-password=**********",
>        Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding bla at blue",
>        Cisco-AVPair = "lcp:interface-config#2=ip unnumbered Loopback80"
> 
> Or is it better to move everything to LDAP anyway?

  It depends on what you want to do...

> The iplanet schema seems to import, after adding
> changetype: modify
> add: attributetypes
> 
> But it's missing some of the above key-words.
> How do I add these?

  Missing WHAT?  It helps to be specific.

  The documentation in mods-available/ldap explains exactly how to put attributes into LDAP.  The "users" file documentation describes how to configure attributes in the "users" file.

  So... you should be able to take attributes from the "users" file, and put them into LDAP.  As per the documentation.  If you have a specific question, please ask that.  Right now, it's all "I tried to do stuff, and it didn't work".

  Computers don't work on hand-waving.

  Alan DeKok.




More information about the Freeradius-Users mailing list