LDAP¶
Setup LDAP Access¶
During the installation of Linuxmuster.net the necessary configuration was already made in the /etc/freeradius/radiusd.conf
file. Locate the LDAP-related section in the file and check the following:
...
ldap {
...
server = "localhost"
identity = "cn=admin,dc=linuxmuster-net,dc=lokal"
password = geheim
basedn = "ou=accounts,dc=linuxmuster-net,dc=lokal"
filter = "(uid=%u)"
...
}
...
The required password can be displayed with the following command:
$ cat /etc/ldap/slapd.conf | grep rootpw
Now enable LDAP authentication in the file /etc/freeradius/sites-available/default
AND /etc/freeradius/sites-available/inner-tunnel
by removing the comment marks for each line that refers to LDAP.
...
authorize {
...
ldap
...
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
At the end, restart the Radius server:
$ service freeradius restart
Test LDAP authentication¶
Enter the following command (adjust user name and password):
$ radtest user password localhost 10 testing123
....
rad_recv: Access-Accept Packet from ...
If you received an Access-Accept Packet, the authentication was successful!
Additional settings¶
Enable Access Restriction¶
If you are using the RADIUS server to authenticate users in the WLAN and only want to allow access for certain users (e.g. all members of the group p_wifi
), make the following changes in the file /etc/freeradius/users
Respectively add:
...
DEFAULT Group != p_wifi
DEFAULT Auth-Type := Reject
Reply-Message = "Your are not allowed to access the WLAN!"
...
Alternatively, you can also directly query the corresponding LDAP group.
...
DEFAULT Ldap-Group == "cn=p_wifi,ou=groups,dc=linuxmuster-net,dc=lokal"
DEFAULT Auth-Type := Reject
Reply-Message = "Your are not allowed to access the WLAN!"
...
In the ldap {...}
section of the file /etc/freeradius/radiusd.conf
the corresponding filter must be activated:
...
groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%u))
...
Enable logging¶
The logging of authentication requests can be activated in /etc/freeradius/radiusd.conf
. The log file is: /var/log/freeradius/radius.log
. Do not forget to restart the Radius server!
log {
...
auth = yes
...
}