-
-
Save 40a/d7fe52c84d4bd2212560a50c4a26f4cc to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # create keytab for radius user | |
| ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab | |
| chown root:radiusd /etc/raddb/radius.keytab | |
| chmod 640 /etc/raddb/radius.keytab | |
| # make radius use the keytab for SASL GSSAPI | |
| mkdir -p /etc/systemd/system/radiusd.service.d | |
| cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF | |
| [Service] | |
| Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab | |
| ExecStartPre=-/usr/bin/kdestroy -A | |
| ExecStopPost=-/usr/bin/kdestroy -A | |
| EOF | |
| systemctl daemon-reload | |
| edit /etc/raddb/mods-enabled/ldap | |
| ldap server = 'LDAP HOSTNAME' | |
| ldap base_dn = 'cn=accounts,dc=example,dc=org' | |
| ldpa sasl mech = 'GSSAPI' | |
| ldpa sasl realm = 'YOUR REALM' | |
| ldap sasl update control:NT-Password := 'ipaNTHash' | |
| # certs | |
| mv /etc/raddb/certs /etc/raddb/certs.bak | |
| mkdir /etc/raddb/certs | |
| openssl dhparam 2048 -out /etc/raddb/certs/dh | |
| ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment