eduroam IdP using OpenLDAP
1. Install openldap module and tools and test access to your LDAP server
First let’s install some prerequesites: openldap-clients lets us test the connection to our OpenLDAP server, and freeradius-ldap is the module that connects FreeRADIUS to LDAP directories.
dnf -y install freeradius-ldap openldap-clientsNow let’s test the connection to our OpenLDAP server from this freeradius server. If you encounter any errors make sure port 389 on OpenLDAP server is accepting connections from freeradius server’s IP address (or port 636 if using ldaps).
ldapsearch -H ldap://ldap.university.ac.ma -D "cn=manager,dc=uni,dc=ac,dc=ma" -W -b "dc=uni,dc=ac,dc=ma" dnThis should list a list of dns whithin the openldap tree. If you get correct results, you can proceed with the configuration.
2. Configure ldap module
We’ll need to modify the file /etc/raddb/mods-available/ldap according to our settings.
/etc/raddb/mods-available/ldap
##################
ldap {
server = 'ldap.university.ac.ma'
identity = 'cn=manager,dc=university,dc=ac,dc=ma'
password = yourpasswordhere
base_dn= 'ou=people,dc=university,dc=ac,dc=ma'
sasl {
}
tls {
# Set this to 'yes' to use TLS encrypted connections
# start_tls = yes
# ca_file = ${certdir}/cacert.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# random_file = /dev/urandom
# require_cert = 'demand'
}
###################Then we create a soft link in mods-enabled.
cd /etc/raddb/mods-enabled
ln -s ../mods-available/ldap ldap
chgrp -ch radiusd ldap3. Configure eduroam inner tunnel to use LDAP authentication
Let us now configure eduroam’s inner tunnel to use our OpenLDAP server to authenticate & authorize requests coming from our users. To do this, we’re going to edit the file /etc/raddb/sites-enabled/eduroam-inner-tunnel by adding ldap to the sections authorize and authenticate.
/etc/raddb/sites-enabled/eduroam-inner-tunnel
####################
server eduroam-inner-tunnel {
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120 # Used for testing only. Requests proxied internally.
}
authorize {
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap # <= We add this
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP { # <=
ldap # <= and these.
} # <=
eap
}
session {
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
reply_log
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
}
pre-proxy {
}
post-proxy {
eap
}
}
######################4. Configure eduroam to use LDAP authentication
Finally, let’s make sure we have ldap authentication configured in our eduroam site as well.
/etc/raddb/sites-enabled/eduroam
############
.
.
authorize {
.
.
auth_log
suffix
eap {
ok = return
updated = return
}
files
ldap # <= Add ldap here
pap
}
.
.
authenticate {
Auth-Type PAP {
pap
ldap # <= and here
}
Auth-Type CHAP {
chap
ldap # <= and here
}
Auth-Type MS-CHAP {
mschap
#ldap
}
Auth-Type LDAP { # <=
ldap # <= and here.
} # <=
eap
}
.
.
.
#########