Question about FreeRADIUS and LDAP

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Question about FreeRADIUS and LDAP

rainer
Hi,


I think I've managed to get authentication against a CentOS 8 389-server
working.

https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/


Now, traditionally, our users and the configuration are just in a
text-file "users" with the password in clear-text.


If I move the users (and only the users) into 389-server, how would the
text-file look like?


Currently, an entry is like that?

bla@blue  Cleartext-Password := "test"
         Service-Type = Framed-User,
         Framed-Protocol = PPP,
         Framed-Address = 192.168.1.5,
         Framed-Netmask = 255.255.255.0,
         Framed-Routing = None,
         Cisco-AVPair = "vpdn:tunnel-id=VRF1",
         Cisco-AVPair = "vpdn:tunnel-type=l2tp",
         Cisco-AVPair = "vpdn:ip-addresses=a.b.c.d",
         Cisco-AVPair = "vpdn:l2tp-tunnel-password=**********",
         Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding
bla@blue",
         Cisco-AVPair = "lcp:interface-config#2=ip unnumbered Loopback80"


Or is it better to move everything to LDAP anyway?

The iplanet schema seems to import, after adding
changetype: modify
add: attributetypes

But it's missing some of the above key-words.
How do I add these?



Best Regards
Rainer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Question about FreeRADIUS and LDAP

Alan DeKok-2
On Oct 2, 2020, at 12:54 PM, [hidden email] wrote:
> I think I've managed to get authentication against a CentOS 8 389-server working.

  That's good.

> https://www.nasirhafeez.com/freeradius-with-ldaps-on-azure-ad-domain-services/
>
>
> Now, traditionally, our users and the configuration are just in a text-file "users" with the password in clear-text.
>
>
> If I move the users (and only the users) into 389-server, how would the text-file look like?

  It depends on what you want to do...

  What do you mean "move the users" into 389?  *What* information are you moving over?

  As background, FreeRADIUS doesn't really have "users" as such.  It has things configured in databases.  The "users" file is one such database.

>
> Currently, an entry is like that?
>
> bla@blue  Cleartext-Password := "test"
>        Service-Type = Framed-User,
>        Framed-Protocol = PPP,
>        Framed-Address = 192.168.1.5,
>        Framed-Netmask = 255.255.255.0,
>        Framed-Routing = None,
>        Cisco-AVPair = "vpdn:tunnel-id=VRF1",
>        Cisco-AVPair = "vpdn:tunnel-type=l2tp",
>        Cisco-AVPair = "vpdn:ip-addresses=a.b.c.d",
>        Cisco-AVPair = "vpdn:l2tp-tunnel-password=**********",
>        Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding bla@blue",
>        Cisco-AVPair = "lcp:interface-config#2=ip unnumbered Loopback80"
>
> Or is it better to move everything to LDAP anyway?

  It depends on what you want to do...

> The iplanet schema seems to import, after adding
> changetype: modify
> add: attributetypes
>
> But it's missing some of the above key-words.
> How do I add these?

  Missing WHAT?  It helps to be specific.

  The documentation in mods-available/ldap explains exactly how to put attributes into LDAP.  The "users" file documentation describes how to configure attributes in the "users" file.

  So... you should be able to take attributes from the "users" file, and put them into LDAP.  As per the documentation.  If you have a specific question, please ask that.  Right now, it's all "I tried to do stuff, and it didn't work".

  Computers don't work on hand-waving.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html