Continuing my adventures with FreeRADIUS ...
It seems that there's no escaping the need to create a dedicated LDAP user for FreeRADIUS, so that it can see group membership information.
I've already created a FreeIPA service - radius/ipa.example.com@EXAMPLE.COM - so that I could issue a certificate for PEAP and monitor it with certmonger. (Yes, FreeRADIUS is running on the same server as FreeIPA.)
Is it possible to somehow create a "service user" associated with this service that FreeRADIUS can use as an LDAP login?
Thanks!
Ian Pilcher via FreeIPA-users wrote:
Continuing my adventures with FreeRADIUS ...
It seems that there's no escaping the need to create a dedicated LDAP user for FreeRADIUS, so that it can see group membership information.
I've already created a FreeIPA service - radius/ipa.example.com@EXAMPLE.COM - so that I could issue a certificate for PEAP and monitor it with certmonger. (Yes, FreeRADIUS is running on the same server as FreeIPA.)
Is it possible to somehow create a "service user" associated with this service that FreeRADIUS can use as an LDAP login?
Thanks!
You can't use the Kerberos service to store a password because it lacks the attributes to store it. You could use potentially use a keytab but I somehow doubt that GSSAPI auth is available.
So what I think you'll have to do is create a separate LDAP system account, details are in the LDAP howto on freeipa.org.
And you'll need to do a bit of manual work to allow this system account read access to the membership info. You can do this by using ldapmodify to add memberof: <permission> for the permission (or permissions) you need to grant it.
rob
On 1/29/19 12:23 PM, Rob Crittenden wrote:
So what I think you'll have to do is create a separate LDAP system account, details are in the LDAP howto on freeipa.org.
I stumbled across that sometime in the bleary hours of this morning. Good to know that I was barking up the right tree.
And you'll need to do a bit of manual work to allow this system account read access to the membership info. You can do this by using ldapmodify to add memberof: <permission> for the permission (or permissions) you need to grant it.
For whatever reason, I didn't need to do anything special. It "just worked" once I created the account.
# ldapsearch -x -D uid=radiusd,cn=sysaccounts,cn=etc,dc=example,dc=com \ -W -b cn=users,cn=accounts,dc=example,dc=com '(uid=test)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree # filter: (uid=test) # requesting: ALL #
# test, users, accounts, example.com dn: uid=test,cn=users,cn=accounts,dc=example,dc=com memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com memberOf: cn=wifi,cn=groups,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20290126192822Z krbLastPwdChange: 20190129192822Z displayName: Test User uid: test krbCanonicalName: test@EXAMPLE.COM objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: TU gecos: Test User sn: User homeDirectory: /home/test mail: test@example.com krbPrincipalName: test@EXAMPLE.COM givenName: Test cn: Test User ipaUniqueID: fde5c420-23fb-11e9-bed0-00224db7a139 uidNumber: 1785200007 gidNumber: 1785200007
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
freeipa-users@lists.fedorahosted.org