OUR SITES NetworkRADIUS FreeRADIUS

LDAP

FreeRADIUS can be configured to use an LDAP server for authentication, authorization and accounting.

This series of tutorials assume that the reader is familiar LDAP. If you’re not familiar with LDAP specific terms or how LDAP directories in general operate, you may wish to review ldap.com - basic concepts, as these concepts will not be covered in FreeRADIUS documentation.

In an Microsoft Active Directory environment you should use rlm_winbind for authentication, and rlm_ldap for group membership checks as described in authorization section of this tuorial. The WinBind protocol does not support the full range of group checks that is possible with LDAP.

Preparation

These preparation steps must be completed in order for the examples in the later sections of this tutorial to operate correctly.

1. Provisioning

In order to use LDAP, there must be an existing LDAP server populated with users, groups, and possibly clients. We highly recommend using OpenLDAP for both its flexibility and performance.

If there is not an existing local LDAP server, then it is possible to provision one using a docker image, or alternatively, if you’re using a Debian or RHEL based distribution, using the OpenLDAP LTB RPM or DEB packages.

For testing purposes it’s recommended to install an LDAP instances on the same machine (or inter-container network in the case of docker) as the RADIUS server to avoid any potential networking issues.

This recommendation applies equally to high load production environments, or where a high level of redundancy is required.

2. Testing

Once an LDAP server is available, it should be tested via the command-line ldapsearch tool. This is to ensure that the LDAP server has been configured correctly. If testing via ldapsearch fails, then that MUST those issues must be resolved before configuring FreeRADIUS.

3. Configuring the LDAP module

Once the ldapsearch validation tests pass, the next step is to configure the LDAP module.

OpenLDAP configuration examples detailing how to install appropriate schemas and populate the server with test data will be provided at the beginning of each tutorial section.

Sections in this tutorial

For features and configuration items not covered by this tutorial series mods-available/ldap page provides a complete reference for all the configuration items available for the rlm_ldap module.

Base configuration

Configures basic settings required for all functions of the LDAP module.

Authorization

Covers Authorization by group, enabling/disabling accounts using attributes, LDAP attribute to FreeRADIUS attribute mappings, and LDAP profiles.

Authentication

Examples of configuring different methods of LDAP based authentication (search, bind, edir).

Accounting

Examples of updating objects in LDAP after authentication completes, or when accounting data is received.