-
-
Save tiran/770b41cdff10d9f95e9623f468ebccec to your computer and use it in GitHub Desktop.
# create keytab for radius user | |
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab | |
chown root:radiusd /etc/raddb/radius.keytab | |
chmod 640 /etc/raddb/radius.keytab | |
# make radius use the keytab for SASL GSSAPI | |
mkdir -p /etc/systemd/system/radiusd.service.d | |
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF | |
[Service] | |
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab | |
ExecStartPre=-/usr/bin/kdestroy -A | |
ExecStopPost=-/usr/bin/kdestroy -A | |
EOF | |
systemctl daemon-reload | |
edit /etc/raddb/mods-enabled/ldap | |
ldap server = 'LDAP HOSTNAME' | |
ldap base_dn = 'cn=accounts,dc=example,dc=org' | |
ldpa sasl mech = 'GSSAPI' | |
ldpa sasl realm = 'YOUR REALM' | |
ldap sasl update control:NT-Password := 'ipaNTHash' | |
# certs | |
mv /etc/raddb/certs /etc/raddb/certs.bak | |
mkdir /etc/raddb/certs | |
openssl dhparam 2048 -out /etc/raddb/certs/dh | |
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME | |
I haven't done any work with FreeRADIUS in years and don't have the files. Perhaps you are able to get help on the FreeIPA users mailing list.
I already had this;
ldap sasl update control:NT-Password := 'ipaNTHash'
In a later section on the file which was preventing startup;
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ipaNTHash' }
It also turns out systemd was including running the /etc/raddb/certs/bootstrap script which kept wiping out my production certs on launch. Oops.
I still can't seem to get it to bind with these instructions though, does this require any specific settings on the IPA end? To be fair this is not a fresh install, i'm modifying an older build which needed password auth for the radius service principal which is probably unnecessarily complicating matters.
are you able to post an example file of the ldap module? I don't seem to be able to get it working, specifically there seems to be a syntax issue when modifying from the default configs.
Additionally, i'm getting binding errors as LDAP is apparently still expecting some kind of identity information