7.12. Radius LDAP Authentication

In most cases to authenticate against an AD/LDAP you need to join the domain, but there is a possibility to avoid this by configuring the RADIUS to do the LDAPS authentication through the LDAP RADIUS module if the credentials comes with plain-text password.

Important

Credential validation against LDAP is only possible if the password comes as plain-text. This excludes 802.1X authentications where it will be necessary to join the domain to authenticate.

To configure the LDAP module, you must follow these steps:

  1. Configure the LDAP /etc/raddb/sites-aviable/ldap module with the following attributes:

#LDAP server address
server = '<LDAP_HOST>'
#LDAP server port (389\LDAP 636\LDAPS)
port = <LDAP_PORT>
#User to perform authentications
identity = 'LDAP_BIND_USER'
#User password
password = <LDAP_BIND_PASSWORD>
#The dn from which all searches will start from.
base_dn = '<LDAP_BASE_DN>'
#In the filter block use the attribute of the Account ID:
# Typically "uid" when it is an LDAP (default option)
# Typically "sAMAccountName" when it is an AD
filter = "(<ACCOUNT_ID_ATTR>=%{%{Stripped-User-Name}:-%{User-Name}})"

  1. Enable the LDAP module in FreeRADIUS mods-enabled:

ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap

  1. Enable the LDAP module in /etc/raddb/sites-enabled/default

3.1. Uncomment the LDAP module in the “authorize” section:

# ldap
# if ((ok || updated) && User-Password && !control:Auth-Type) {
#     update {
#         control:Auth-Type := ldap
#     }
# }

3.2. Uncomment the LDAP module in “authenticate”:

# Auth-Type LDAP {
#   ldap
# }

  1. Restart radiusd service:

systemctl restart radiusd

7.12.1. Multiple LDAP Servers

In the case that there is more than one LDAP server to which we can make queries for authentication, we must follow the following steps:

  1. In /etc/raddb/sites-enabled/ldap we will define all the available servers with the following format:

ldap ldap1 {
    ...
}
ldap ldap2 {
    ...
}

  1. In the file /etc/raddb/sites-enabled/default we will use the “redundant” statement with the LDAP servers defined above:

Note

Based on the previous steps, we will replace the lines with the “LDAP” statement with the “redundant” one as follows:

authorize {
    ...
    redundant {
        ldap1
        ldap2
    }

}

authenticate {
    ...
    Auth-Type LDAP {
        redundant {
            ldap1
            ldap2
        }
    }
    ...
}