Skip to content

Instantly share code, notes, and snippets.

@tiran
Last active February 5, 2023 08:02
Show Gist options
  • Save tiran/770b41cdff10d9f95e9623f468ebccec to your computer and use it in GitHub Desktop.
Save tiran/770b41cdff10d9f95e9623f468ebccec to your computer and use it in GitHub Desktop.
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab
# make radius use the keytab for SASL GSSAPI
mkdir -p /etc/systemd/system/radiusd.service.d
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
systemctl daemon-reload
edit /etc/raddb/mods-enabled/ldap
ldap server = 'LDAP HOSTNAME'
ldap base_dn = 'cn=accounts,dc=example,dc=org'
ldpa sasl mech = 'GSSAPI'
ldpa sasl realm = 'YOUR REALM'
ldap sasl update control:NT-Password := 'ipaNTHash'
# certs
mv /etc/raddb/certs /etc/raddb/certs.bak
mkdir /etc/raddb/certs
openssl dhparam 2048 -out /etc/raddb/certs/dh
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
@vladiceanu
Copy link

hi,
after setting ldpa sasl mech = 'GSSAPI', getting this:

rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to ldap://localhost:389 failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

@hfuops
Copy link

hfuops commented Nov 20, 2017

Supplyment:

  1. You need to add a service principal first by ' ipa service-add 'radius/<FQDN_OF_YOUR_IPA>' , and then

  2. ipa-getkeytab -p 'radius/<FQDN_OF_YOUR_IPA>' -k /etc/raddb/radiusd.keytab

  3. for "SASL/GSSAPI authentication started
    rlm_ldap (ldap): Bind with (anonymous) to ldap://localhost:389 failed: Local error"

just modify 'module-enabled/ldap'

server = '<FQDN_OF_YOUR_IPA', e.g ipa.xxx.com. and
base_dn = 'cn=accounts,dc=xxx,dc=com'

Everything works.

@alinalexandru
Copy link

@tiran Could you please describe what this gist is doing?
Can it be used for WPA2 wi-fi authentication?

@cmdrogogov
Copy link

cmdrogogov commented Feb 17, 2020

are you able to post an example file of the ldap module? I don't seem to be able to get it working, specifically there seems to be a syntax issue when modifying from the default configs.

Additionally, i'm getting binding errors as LDAP is apparently still expecting some kind of identity information

@tiran
Copy link
Author

tiran commented Feb 17, 2020

I haven't done any work with FreeRADIUS in years and don't have the files. Perhaps you are able to get help on the FreeIPA users mailing list.

@cmdrogogov
Copy link

I already had this;

ldap sasl update control:NT-Password := 'ipaNTHash'

In a later section on the file which was preventing startup;

update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ipaNTHash' }

It also turns out systemd was including running the /etc/raddb/certs/bootstrap script which kept wiping out my production certs on launch. Oops.

I still can't seem to get it to bind with these instructions though, does this require any specific settings on the IPA end? To be fair this is not a fresh install, i'm modifying an older build which needed password auth for the radius service principal which is probably unnecessarily complicating matters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment