As mentioned in the last post, I’m building a PoC ISP and to do this I need to set both an LDAP and RADIUS servers.
I’m going to run all of this on the latest version of Raspbian Buster.
LDAP
Lets start by installing the LDAP server.
$ sudo apt-get install ldap-serverThis will install OpenLDAP. The first thing to do is to set the admin password and configure the base dn. To do this we first create a hashed version of the password with slappasswd
$ slappasswd
New password:
Re-enter new password:
{SSHA}FRtFAY09RdZN76rZiVfgyqs2F3J9jXPNWe can then create the following ldif file called config.ldif. This sets the admin password and updates the base dn
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}TXcmvaldskl312012cKsPK1cY2321+aj
-
replace: olcRootDN
olcRootDN: cn=admin,dc=hardill,dc=me,dc=uk
-
replace: olcSuffix
olcSuffix: dc=hardill,dc=me,dc=ukWe the apply these changed with the ldapmodify command
$ ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f config.ldifNow we have the admin user set up we can start to add the normal users. First we need to create the structure to hold them.
dn: dc=hardill,dc=me,dc=uk
objectClass: dcObject
objectClass: organization
dc: hardill
o: hardill
dn: ou=users,dc=hardill,dc=me,dc=uk
objectClass: organizationalUnit
ou: usersAnd since we’ve set the admin password we need to change the ldapadd command as well
ldapadd -f domain.ldif -D cn=admin,dc=hardill,dc=me,dc=uk -w passwordAgain we need to use the slappasswd command to create password that we can use in the user.ldif file. I’ve added the inetOrgPerson in to the user entry so I can also include the mail item.
dn: uid=isp1,ou=users,dc=hardill,dc=me,dc=uk
objectClass: top
objectClass: person
objectClass: inetOrgPerson
displayName: Joe Blogs
cn: Joe
sn: Blogs
mail: isp1@hardill.me.uk
uid: isp1
userPassword: {SSHA}rozJD+T37NqRQp36myXf1KJ35+7tf2LNAdded to the ldap with
$ ldapadd -f user.ldif -D cn=admin,dc=hardill,dc=me,dc=uk -w password RADIUS
Next we need to install the RADIUS
$ sudo apt-get install freeradiusOnce installed we need to enable the LDAP module and configure it to use the server we have just setup. To do this we need to symlink the ldap file from /etc/freeradius/3.0/mods-available to /etc/freeradius/3.0/mods-enabled. Next edit the identity, password and base_dn in the ldap config file to match the settings in config.ldif.
...
# additional schemes:
# - ldaps:// (LDAP over SSL)
# - ldapi:// (LDAP over Unix socket)
# - ldapc:// (Connectionless LDAP)
server = 'localhost'
# server = 'ldap.rrdns.example.org'
# server = 'ldap.rrdns.example.org'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
# port = 389
# Administrator account for searching and possibly modifying.
# If using SASL + KRB5 these should be commented out.
identity = 'cn=admin,dc=hardill,dc=me,dc=uk'
password = password
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = 'ou=users,dc=hardill,dc=me,dc=uk'
#
# SASL parameters to use for admin binds
...Once we’ve restarted freeradius we can test if we can authenticate the isp1 user with the radtest command.
$ radtest isp1 secret 127.0.0.1 testing123
Sent Access-Request Id 159 from 0.0.0.0:42495 to 127.0.0.1:1812 length 78
User-Name = "isp1"
User-Password = "secret"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "secret"
Received Access-Accept Id 159 from 127.0.0.1:1812 to 127.0.0.1:42495 length 51
testing123 is the default password for a RADIUS client connecting from 127.0.0.1, you can change this and add more clients in the /etc/freeradius/3.0/clients.conf file.
In the next post I’ll talk about setting up PPPoE
Why install both LDAP and Radius? Is there more security?
No, the data the Radius server provides comes from the LDAP (It’s the best place to keep the user information)