WiKID + OpenLDAP + Freeradius Howto
I installed Openldap and freeradius on one (virtual) server and WiKID on another. We believe that this separation of duties is good security policy. In a way it also makes the setup easier because both WiKID and Freeradius listen on port 1812 of the localhost. Both servers are running Centos5.
yum install openldap* yum install freeradius* yum install freedradius-ldap
Configuring OpenLDAP
To add a test user to OpenLDAP, I created an ldif file, test.ldif. I had already added users previously, so I commented out the first 3 lines.
#dn: ou=People,dc=wikidsystems,dc=com #ou: People #objectClass: organizationalUnit dn: uid=test,ou=People,dc=wikidsystems,dc=com uid: test cn: Test Guy displayName: Test Guy givenName: Test sn: Own objectClass: inetOrgPerson userPassword: mypassword mail: test@wikidsystems.com dialupAccess: yes
Note the last line for dialupAccess. This field will be used by Freeradius to determine if the user is allowed to login.
Here is the contents of the slapd.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=wikidsystems,dc=com"
rootdn "cn=root,dc=wikidsystems,dc=com"
rootpw {SSHA}mM7fsBarApAwbnMKXxNh+fXQ1OYppFY9
password-hash {SSHA}
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname,displayName eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index default sub
Add the network client to /etc/raddb/clients.conf. This entry would be for your VPN or website or whatever service to which the user is authenticating.
client 192.168.0.120 {
# # secret and password are mapped through the "secrets" file.
secret = testing_secret
# shortname = liv1
# # the following three fields are optional, but may be used by
cw# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
}
Freeradius will proxy the authentication requests for the dialupAccess users to the WiKID server. Create an entry in /etc/raddb/proxies.conf:
Proxy - the WiKID server:
realm NULL {
type = radius
authhost = 192.168.0.100:1812
accthost = localhost
secret = testing_secret
}
Configuring Freeradius
In /etc/radius.conf add the following to allow proxy requests, enable ldap authorization, and pap authentication.
First configure ldap:
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
ldap {
server = "localhost"
basedn = "dc=wikidsystems,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
Note the use of access_attr = "dialupAccess". Next add ldap under authorize:
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
pap
}
Make sure that PAP is a supported authentication type:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}