Synology usage series 21 – Install FreeRadius Server and integrate with OpenLDAP Server


Integrates with OpenLDAP Server

The authentication server is installed, now we need to integrate with the password store. The password store can be a lots of thing, it can be a plaintext file, MYSQL Database, LDAP Server and etc.

Since I previously installed OpenLDAP Server, I will use OpenLDAP here.

  1. Edit the radiusd.conf

    looks for the ldap { line

    ldap{
       server = "127.0.0.1"
    
       # if your ldap is configured to block anonymous bind, then you need to assign admin user and password here. otherwise, comment the identity and password lines below.
       identity "cn=admin,dc=mydomain,dc=com"
       password = password of the admin user
       basedn = "dc=mydomain,dc=com"
       #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
       start_tls = no
    
       # Define the object for LDAP to lookup the user account, this is usually the attribute defining the user ID, i.e. uid and cn
       access_attr = "uid"
    
       dictionary_mapping = ${raddbdir}/ldap.attrmap
       authtype=ldap
       ldap_connections_number = 5
       timeout = 4
       timelimit = 3
       net_timeout = 1
    

    Then looks for the line authorize { and uncomment the ldap line.

    authorize{
       ldap
    

    Also looks for the line authenticate { and uncomment the ldap relate lines

    authenticate {
            Auth-Type LDAP {
                    ldap
            }
    
  2. Edit ldap.attrmap file, add the following line
    checkItem       User-Password                   userPassword
    
  3. Edit client.conf
    client localhost {
       # define the password for accessing the radius server from localhost
       secret = password for internal access
    
  4. Edit /opt/etc/raddb/sites-enabled/default

    # vi /opt/etc/raddb/sites-enabled/default

    uncomment line of ldap within authorize section

    authorize {
        ldap
    

    uncomment ldap within authenticate section

    authenticate {
            Auth-Type LDAP {
                    ldap
            }
    

    Save and exit.

  5. Edit users file, delete the dummy testing account we previously added.
  6. Restart Radius Server
  7. Test the radius server and input any user account defined in OpenLDAP database.
    radtest [ldap username] [ldap user password] localhost 0 [radius internal secret password defined in client.conf]
    

Now the Radius server will be able to perform authentication for all the LDAP users 🙂





16 thoughts


  1. I did as You described and the make process threw warning on missing openssl.cnf file and furthermore some errors. How can I “remake” the initial configuration in Your step no.7 in case sth failed? Is there anything special on Synology DSM3.0 compared to “standard” Linux as described on freeradius.org?

    • Please read the README in the certs directory. You can simply run the command below and do it all over again

      rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

  2. Hi Ray.

    Awsome site 🙂

    I get this: when I run radiusd -X

    Makefile:69: *** missing separator. Stop.
    Exec-Program output:
    Exec-Program: returned: 2
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1666]: Errors parsing authenticate section.
    }
    }
    Errors initializing modules

    Why is this ? I have double checked everything and I can´t seem to find any thing wrong.

    Please help 🙂

    BTW My DSM ver. is 3.2-1955

    Best regards Mads

    • radius failed to generate certificates for eap modules. Take a look to the /opt/etc/raddb/certs/Makefile line 69.

      In case you don’t need eap, or you don’t need certificates support at all, try comment all eap and $INCLUDE ${confdir}/eap.conf in the /opt/etc/raddb/radiusd.conf.

  3. Hi Ray.

    Thx for the fast respons 🙂

    I found some erros in the makefile that I some have had done wrong. I manage to lounch the RADIUS but i get erros in the radiuss.conf which said!

    sthlmdsx01> radiusd -X
    FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Nov 2 2010 at 00:15:35
    Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
    There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
    PARTICULAR PURPOSE.
    You may redistribute copies of FreeRADIUS under the terms of the
    GNU General Public License v2.
    Starting – reading configuration files …
    including configuration file /opt/etc/raddb/radiusd.conf
    including configuration file /opt/etc/raddb/proxy.conf
    including configuration file /opt/etc/raddb/clients.conf
    including configuration file /opt/etc/raddb/snmp.conf
    including configuration file /opt/etc/raddb/eap.conf
    including configuration file /opt/etc/raddb/sql.conf
    including configuration file /opt/etc/raddb/sql/mysql/dialup.conf
    /opt/etc/raddb/radiusd.conf[1721]: Too many closing braces
    Errors reading /opt/etc/raddb/radiusd.conf

    I look in the file att line 1721 and found that there was missing braces!!!? so I added the needed one, One brace, which is the one al the way in the end!

    FYI: The file look like this:

    # The common reasons to set the Auth-Type attribute by hand
    # is to either forcibly reject the user, or forcibly accept him.
    #
    authenticate {

    # PAP authentication, when a back-end database listed
    # in the ‘authorize’ section supplies a password. The
    # password can be clear-text, or encrypted.
    Auth-Type PAP {
    pap
    }

    #
    # Most people want CHAP authentication
    # A back-end database listed in the ‘authorize’ section
    # MUST supply a CLEAR TEXT password. Encrypted passwords
    # won’t work.
    Auth-Type CHAP {
    chap
    }

    #
    # MSCHAP authentication.
    Auth-Type MS-CHAP {
    mschap
    }

    #
    # If you have a Cisco SIP server authenticating against
    # FreeRADIUS, uncomment the following line, and the ‘digest’
    # line in the ‘authorize’ section.
    # digest

    #
    # Pluggable Authentication Modules.
    # pam

    #
    # See ‘man getpwent’ for information on how the ‘unix’
    # module checks the users password. Note that packets
    # containing CHAP-Password attributes CANNOT be authenticated
    # against /etc/passwd! See the FAQ for details.
    #
    unix

    # Uncomment it if you want to use ldap for authentication
    #
    # Note that this means “check plain-text password against
    # the ldap database”, which means that EAP won’t work,
    # as it does not supply a plain-text password.
    #Auth-Type LDAP {ldap}

    #
    #Allow eap authentication.
    Auth-Type eap {
    eap
    }
    }

    #
    # Pre-accounting. Decide which accounting type to use
    I have looked and when i set in the amount of braces whiches is needed it comes with the error that it cant find the eap module … I just don´t get it!

    This is what i get when I add in the right amount of braces in the file.

    make: *** [ca.pem] Error 1
    Exec-Program output: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
    Exec-Program-Wait: plaintext: /opt/bin/openssl req -new -x509 -keyout ca.key -out ca.pem -days -config ./ca.cnf
    Exec-Program: returned: 2
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1719]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1719]: Failed to parse “eap” entry.
    }
    }
    Errors initializing modules

    Any Ideas?

    • Ok I think I guessed what’s your issue now.

      From your first line:

      sthlmdsx01> radiusd -X

      It seems like that you are running radiusd as sthlmdsx01. Please look at step 1 here and run radiusd as root.

      Please follow every single steps, unless it was marked optional, otherwise all steps I mentioned is necessary to make things happen.

  4. Hi Ray.

    Ryd for the respons. I ssh to the höst as root, i know it is à bad habit bit i do. I would be thrilled if you would look at my files. If I zip them how kan I send them to you? Via FTP or mail ?
    Best regards,

    And thx for the help again 🙂

    • It is required to run radiusd as root the first time so that radius got enough permission to generate certificates things for the eap/tls module. Once setup completed it is not a must to run radiusd as root.

      If you still encountered any issues pls zip the config/log to somewhere and lemme know the url either here or using the contact form above.

      Good luck!

  5. Hi Ray.

    I would def. want to use EAP, so if you don´t mind looking over my conf. it wold be awesome.
    I have zipped eap, radiusd and Makefile do it for you?
    Which log do you want and from which dir?

    Thanks Ray.

    Best regards

    Mads

  6. Hey Ray,

    first of all, thx for the great work!
    I followed your guide, step by step on my 107+, but when i issue the Radiud -X, i get the following errors:

    rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
    rlm_eap_tls: Error reading private key file /opt/etc/raddb/certs/server.pem
    rlm_eap: Failed to initialize type tls
    /opt/etc/raddb/eap.conf[17]: Instantiation failed for module “eap”
    /opt/etc/raddb/radiusd.conf[1721]: Failed to find module “eap”.
    /opt/etc/raddb/radiusd.conf[1668]: Errors parsing authenticate section.
    }
    }
    Errors initializing modules

    Could you pls help me out on this. Would be too nice having a Radius running.

    Thx in advance,

    Thomas

Leave a Reply

Your email address will not be published. Required fields are marked *