Starting radiusd -X to check the config i got many errors so i did :
- Changing the key file in  /etc/raddb/mods-enabled/eap:
From
private_key_file = ${certdir}/server.pem
To
private_key_file = ${certdir}/radius.key
# cp /etc/pki/tls/certs/radius.pem /etc/raddb/certs/server.pm
# chmod 0640 /etc/raddb/certs/server.pem
# chown root:radiusd /etc/raddb/certs/server.pem
# cp -r /etc/raddb/certs.bak/ca.pem /etc/raddb/certs/
# chown root:radiusd /etc/raddb/certs/ca.pem
# cp /etc/pki/tls/private/radius.key /etc/raddb/certs/
# chmod 0640 /etc/raddb/certs/radius.key
# chown root:radiusd /etc/raddb/certs/radius.key

And now i got this error:
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://freeipa.example.com:389
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to ldap://freeipa.example.com:389 failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"



On Wed, Mar 13, 2019 at 11:52 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ke, 13 maalis 2019, Boudjoudad Abdelkader wrote:
>Thank for the quick reply, i followed this steps
><https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987>  but it
>seems that its missing some steps, after moving certs the certs.back and
>creating a new certificate:
>- The private key and certificate files should be copied in the new certs
>directory created
>Or
>- Changing the path in /etc/raddb/mods-enabled/eap   for each files ?
For those please follow existing documentation for FreeRADIUS. These
steps are just showing FreeIPA-specific changes. You can always change
the paths in the configuration.

>
>
>
>On Wed, Mar 13, 2019 at 11:38 AM Alexander Bokovoy <abokovoy@redhat.com>
>wrote:
>
>> On ke, 13 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
>> >Hi Alexander and thank you for the documents,
>> >
>> >Right i din't configure freeradius to use kerberos authentication but
>> >question please: with the radtest command above the authentication is
>> >performed and if i see Accept-Accept so it does mean the password provided
>> >in the command matches the password in ldap ?
>> Perhaps it matches the password but your problem (as I understood) was
>> that you weren't able to pull the group membership out of LDAP. These
>> are two different steps -- RADIUS server ldap plugin uses user's
>> password for authentication but it should also use own credentials to
>> bind to ldap for authorization step.
>>
>> >
>> >On Tue, Mar 12, 2019 at 2:59 PM Alexander Bokovoy <abokovoy@redhat.com>
>> >wrote:
>> >
>> >> On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote:
>> >> >Hi Alexander,
>> >> >Thank you for yourquick reply and sorry i very new with freeradius.
>> >> >I did:
>> >> >- Changing in /etc/raddb/sites-enabled/default and
>> >> >/etc/raddb/sites-enabled/inner-tunnel
>> >> >      -ldap
>> >> >to:
>> >> >       ldap
>> >> >        if ((ok || updated) && User-Password) {
>> >> >            update {
>> >> >                control:Auth-Type := ldap
>> >> >            }
>> >> >        }
>> >> >
>> >> >- /etc/raddb/mods-enabled/ldap
>> >> >ldap {
>> >> >        server = 'ldapserver.example.com'
>> >> >        #       port = 389
>> >> >        #       password = mypass
>> >> >         base_dn = 'cn=users,cn=accounts,dc=example,dc=com'
>> >> >}
>> >> So, above you aren't using any credentials to authenticate to LDAP
>> >> server. You need to define *some* credentials here that radius server
>> >> would use to bind to LDAP before checking what it needs.
>> >>
>> >> For basic explanation see
>> >>
>> https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html
>> >>
>> >> For some example, one can look at
>> >> https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987
>> >> which describes roughly how to make RADIUS authenticating to LDAP with
>> >> SASL GSSAPI
>> >> instead of a simple bind. It may be missing something, I just updated
>> >> Christian's version which is several years old.
>> >>
>> >> >
>> >> >user {
>> >> >        base_dn = "${..base_dn}"
>> >> >        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>> >> >        #               scope = 'sub'
>> >> >        #               sort_by = '-uid'
>> >> >        #               access_attribute = 'dialupAccess'
>> >> >        #               access_positive = yes
>> >> >}
>> >> >group {
>> >> >           base_dn = "${..base_dn}"
>> >> >           filter = '(objectClass=posixGroup)'
>> >> >           scope = 'sub'
>> >> >           name_attribute = cn
>> >> >           membership_filter =
>> >>
>> >>
>> >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>> >> >
>> >> >            membership_attribute = memberOf
>> >> >            cacheable_name = 'yes'
>> >> >            cacheable_dn = 'yes'
>> >> >            #               cache_attribute = 'LDAP-Cached-Membership'
>> >> >}
>> >> >
>> >> >To test  user i did:
>> >> ># radtest ttest2 password ldapserver.example.com 1812 secretkey
>> >> >
>> >> >Thanks,
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <abokovoy@redhat.com
>> >
>> >> >wrote:
>> >> >
>> >> >> On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
>> >> >> >Hi,
>> >> >> >I'm trying to check if user is in a given group name in LDAP but it
>> >> >> doesn't
>> >> >> >work, here is the configuration:
>> >> >> >- vi /etc/raddb/mods-enabled/ldap
>> >> >>
>> >> >> How do you connect to the LDAP server? You need to use authenticated
>> >> >> bind to see member attributes.
>> >> >>
>> >> >> >ldap {
>> >> >> >...
>> >> >> >base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
>> >> >> >...
>> >> >> >}
>> >> >> >group {
>> >> >> >base_dn = "${..base_dn}"
>> >> >> >filter = '(objectClass=posixGroup)'
>> >> >> >scope = 'sub'
>> >> >> >name_attribute = cn
>> >> >> >membership_filter =
>> >> >>
>> >> >>
>> >>
>> >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>> >> >> >membership_attribute = memberOf
>> >> >> > cacheable_name = 'yes'
>> >> >> > cacheable_dn = 'yes'
>> >> >> ># cache_attribute = 'LDAP-Cached-Membership'
>> >> >> >
>> >> >> >The result:
>> >> >> >rlm_ldap (ldap): Reserved connection (2)
>> >> >> >(0)     Using user DN from request
>> >> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com"
>> >> >> >(0)     Checking for user in group objects
>> >> >> >(0)       EXPAND
>> >> >>
>> >> >>
>> >>
>> >(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
>> >> >> >(0)          -->
>> >> >>
>> >> >>
>> >>
>> >(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2)))
>> >> >> >(0)       Performing search in
>> >> >> >"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter
>> >> >>
>> >> >>
>> >>
>> >"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))",
>> >> >> >scope "sub"
>> >> >> >(0)       Waiting for search result...
>> >> >> >(0)       Search returned no results
>> >> >> >(0)     Checking user object's memberOf attributes
>> >> >> >(0)       Performing unfiltered search in
>> >> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope
>> >> >> "base"
>> >> >> >(0)       Waiting for search result...
>> >> >> >(0)     No group membership attribute(s) found in user object
>> >> >> >
>> >> >> >What i'm  missing ?
>> >> >> >Thanks,
>> >> >>
>> >> >> >_______________________________________________
>> >> >> >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> >> >> >To unsubscribe send an email to
>> >> >> freeipa-users-leave@lists.fedorahosted.org
>> >> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> >> >> >List Guidelines:
>> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >> >> >List Archives:
>> >> >>
>> >>
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> >> >>
>> >> >>
>> >> >> --
>> >> >> / Alexander Bokovoy
>> >> >> Sr. Principal Software Engineer
>> >> >> Security / Identity Management Engineering
>> >> >> Red Hat Limited, Finland
>> >> >>
>> >>
>> >> --
>> >> / Alexander Bokovoy
>> >> Sr. Principal Software Engineer
>> >> Security / Identity Management Engineering
>> >> Red Hat Limited, Finland
>> >>
>>
>> >_______________________________________________
>> >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> >To unsubscribe send an email to
>> freeipa-users-leave@lists.fedorahosted.org
>> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland