As mentioned in the last post, I’m building a PoC ISP and to do this I need to set both an LDAP and RADIUS servers.
I’m going to run all of this on the latest version of Raspbian Buster.
LDAP
Lets start by installing the LDAP server.
$ sudo apt-get install ldap-server
This will install OpenLDAP. The first thing to do is to set the admin password and configure the base dn
. To do this we first create a hashed version of the password with slappasswd
$ slappasswd
New password:
Re-enter new password:
{SSHA}FRtFAY09RdZN76rZiVfgyqs2F3J9jXPN
We can then create the following ldif file called config.ldif
. This sets the admin password and updates the base dn
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}TXcmvaldskl312012cKsPK1cY2321+aj
-
replace: olcRootDN
olcRootDN: cn=admin,dc=hardill,dc=me,dc=uk
-
replace: olcSuffix
olcSuffix: dc=hardill,dc=me,dc=uk
We the apply these changed with the ldapmodify
command
$ ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f config.ldif
Now we have the admin user set up we can start to add the normal users. First we need to create the structure to hold them.
dn: dc=hardill,dc=me,dc=uk
objectClass: dcObject
objectClass: organization
dc: hardill
o: hardill
dn: ou=users,dc=hardill,dc=me,dc=uk
objectClass: organizationalUnit
ou: users
And since we’ve set the admin password we need to change the ldapadd
command as well
ldapadd -f domain.ldif -D cn=admin,dc=hardill,dc=me,dc=uk -w password
Again we need to use the slappasswd
command to create password that we can use in the user.ldif
file. I’ve added the inetOrgPerson
in to the user entry so I can also include the mail
item.
dn: uid=isp1,ou=users,dc=hardill,dc=me,dc=uk
objectClass: top
objectClass: person
objectClass: inetOrgPerson
displayName: Joe Blogs
cn: Joe
sn: Blogs
mail: isp1@hardill.me.uk
uid: isp1
userPassword: {SSHA}rozJD+T37NqRQp36myXf1KJ35+7tf2LN
Added to the ldap with
$ ldapadd -f user.ldif -D cn=admin,dc=hardill,dc=me,dc=uk -w password
RADIUS
Next we need to install the RADIUS
$ sudo apt-get install freeradius
Once installed we need to enable the LDAP module and configure it to use the server we have just setup. To do this we need to symlink the ldap
file from /etc/freeradius/3.0/mods-available
to /etc/freeradius/3.0/mods-enabled
. Next edit the identity
, password
and base_dn
in the ldap config file to match the settings in config.ldif
.
...
# additional schemes:
# - ldaps:// (LDAP over SSL)
# - ldapi:// (LDAP over Unix socket)
# - ldapc:// (Connectionless LDAP)
server = 'localhost'
# server = 'ldap.rrdns.example.org'
# server = 'ldap.rrdns.example.org'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
# port = 389
# Administrator account for searching and possibly modifying.
# If using SASL + KRB5 these should be commented out.
identity = 'cn=admin,dc=hardill,dc=me,dc=uk'
password = password
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = 'ou=users,dc=hardill,dc=me,dc=uk'
#
# SASL parameters to use for admin binds
...
Once we’ve restarted freeradius we can test if we can authenticate the isp1 user with the radtest
command.
$ radtest isp1 secret 127.0.0.1 testing123
Sent Access-Request Id 159 from 0.0.0.0:42495 to 127.0.0.1:1812 length 78
User-Name = "isp1"
User-Password = "secret"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "secret"
Received Access-Accept Id 159 from 127.0.0.1:1812 to 127.0.0.1:42495 length 51
testing123
is the default password for a RADIUS client connecting from 127.0.0.1
, you can change this and add more clients in the /etc/freeradius/3.0/clients.conf
file.
In the next post I’ll talk about setting up PPPoE
Why install both LDAP and Radius? Is there more security?
No, the data the Radius server provides comes from the LDAP (It’s the best place to keep the user information)