Open Directory and freeRadius

Aaron_Hovel at pikeschool.org Aaron_Hovel at pikeschool.org
Thu Apr 24 14:30:26 CEST 2008 

The radiusd.conf on the 10.5 server has this entry. 
opendirectory {
		authtype = opendirectory
	}

Do I need to comment the above opendirectory module out in order to use
the ldap module?  ldap module is below

ldap {
		server = "ldap.your.domain"
		# identity = "cn=admin,o=My Org,c=UA"
		# password = mypass
		basedn = "o=My Org,c=UA"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		# base_filter = "(objectclass=radiusprofile)"

		# set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		# The StartTLS operation is supposed to be used with normal
		# ldap connections instead of using ldaps (port 689) connections
		start_tls = no

		# tls_cacertfile	= /path/to/cacert.pem
		# tls_cacertdir		= /path/to/ca/dir/
		# tls_certfile		= /path/to/radius.crt
		# tls_keyfile		= /path/to/radius.key
		# tls_randfile		= /path/to/rnd
		# tls_require_cert	= "demand"

		# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
		# profile_attribute = "radiusProfileDn"
		access_attr = "dialupAccess"

		# Mapping of RADIUS dictionary attributes to LDAP
		# directory attributes.
		dictionary_mapping = ${raddbdir}/ldap.attrmap

		ldap_connections_number = 5

		#
		# NOTICE: The password_header directive is NOT case insensitive
		#
		# password_header = "{clear}"
		#
		# Set:
		#	password_attribute = nspmPassword
		#
		# to get the user's password from a Novell eDirectory
		# backend. This will work *only if* freeRADIUS is
		# configured to build with --with-edir option.
		#
		#
		#  The server can usually figure this out on its own, and pull
		#  the correct User-Password or NT-Password from the database.
		#
		#  Note that NT-Passwords MUST be stored as a 32-digit hex
		#  string, and MUST start off with "0x", such as:
		#
		#	0x000102030405060708090a0b0c0d0e0f
		#
		#  Without the leading "0x", NT-Passwords will not work.
		#  This goes for NT-Passwords stored in SQL, too.
		#
		# password_attribute = userPassword
		#
		# Un-comment the following to disable Novell eDirectory account
		# policy check and intruder detection. This will work *only if*
		# FreeRADIUS is configured to build with --with-edir option.
		#
		# edir_account_policy_check=no
		#
		#  groupname_attribute = cn
		#  groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
		# groupmembership_attribute = radiusGroupName
		timeout = 4
		timelimit = 3
		net_timeout = 1
		# compare_check_items = yes
		# do_xlat = yes
		# access_attr_used_for_allow = yes

		#
		#  By default, if the packet contains a User-Password,
		#  and no other module is configured to handle the
		#  authentication, the LDAP module sets itself to do
		#  LDAP bind for authentication.
		#
		#  You can disable this behavior by setting the following
		#  configuration entry to "no".
		#
		#  allowed values: {no, yes}
		# set_auth_type = yes
	}

Thanks,
Aaron
FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
writes:
>Aaron_Hovel at pikeschool.org wrote:
>> What I would like to do next is have the PrimaryGroupID or the gidNumber
>> in Opendirectory for that particular user passed back to, in this case
>an
>> Aruba Controller, so that the Aruba Controller can authorize the user
>> based on the group membership. 
>
>  raddb/ldap.attrmap.
>
>  OpenDirectory is just an LDAP server.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list