-
-
Save tiran/770b41cdff10d9f95e9623f468ebccec to your computer and use it in GitHub Desktop.
| # create keytab for radius user | |
| ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab | |
| chown root:radiusd /etc/raddb/radius.keytab | |
| chmod 640 /etc/raddb/radius.keytab | |
| # make radius use the keytab for SASL GSSAPI | |
| mkdir -p /etc/systemd/system/radiusd.service.d | |
| cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF | |
| [Service] | |
| Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab | |
| ExecStartPre=-/usr/bin/kdestroy -A | |
| ExecStopPost=-/usr/bin/kdestroy -A | |
| EOF | |
| systemctl daemon-reload | |
| edit /etc/raddb/mods-enabled/ldap | |
| ldap server = 'LDAP HOSTNAME' | |
| ldap base_dn = 'cn=accounts,dc=example,dc=org' | |
| ldpa sasl mech = 'GSSAPI' | |
| ldpa sasl realm = 'YOUR REALM' | |
| ldap sasl update control:NT-Password := 'ipaNTHash' | |
| # certs | |
| mv /etc/raddb/certs /etc/raddb/certs.bak | |
| mkdir /etc/raddb/certs | |
| openssl dhparam 2048 -out /etc/raddb/certs/dh | |
| ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME | |
Supplyment:
-
You need to add a service principal first by '
ipa service-add 'radius/<FQDN_OF_YOUR_IPA>' , and then -
i
pa-getkeytab -p 'radius/<FQDN_OF_YOUR_IPA>' -k /etc/raddb/radiusd.keytab -
for "SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to ldap://localhost:389 failed: Local error"
just modify 'module-enabled/ldap'
server = '<FQDN_OF_YOUR_IPA', e.g ipa.xxx.com. and
base_dn = 'cn=accounts,dc=xxx,dc=com'
Everything works.
@tiran Could you please describe what this gist is doing?
Can it be used for WPA2 wi-fi authentication?
are you able to post an example file of the ldap module? I don't seem to be able to get it working, specifically there seems to be a syntax issue when modifying from the default configs.
Additionally, i'm getting binding errors as LDAP is apparently still expecting some kind of identity information
I haven't done any work with FreeRADIUS in years and don't have the files. Perhaps you are able to get help on the FreeIPA users mailing list.
I already had this;
ldap sasl update control:NT-Password := 'ipaNTHash'
In a later section on the file which was preventing startup;
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ipaNTHash' }
It also turns out systemd was including running the /etc/raddb/certs/bootstrap script which kept wiping out my production certs on launch. Oops.
I still can't seem to get it to bind with these instructions though, does this require any specific settings on the IPA end? To be fair this is not a fresh install, i'm modifying an older build which needed password auth for the radius service principal which is probably unnecessarily complicating matters.
hi,
after setting ldpa sasl mech = 'GSSAPI', getting this:
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to ldap://localhost:389 failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"