You are here

Home » Blogs » Chris Malton's blog

LDAP + RADIUS + 802.1x - Part 1

published by Chris Malton on Thu, 25/08/2011 - 08:55

Over these next few posts, I'll be sharing the secret of setting up LDAP, RADIUS and 802.1x, then putting the whole thing together, and finally authenticating users against an Active Directory domain.

This post covers setting up LDAP.

I'm using Debian 6 for my testing, so please bear that in mind if you aren't.
Also, every command will be shown with either a # or $ at the start. This is a reasonably standard convention indicating the type of prompt you should be at. # is a root prompt. $ is a user prompt.

Newer versions of slapd are a little bit odd, in that there is no ore slapd.conf. Instead, the contents of a slapd.d folder are forced into the cn=config schema when the server is launched. This poses an interesting problem. To edit the configuration, you need to be able to access the LDAP server, but the configuration must exist before you can run the server.

Just bear the above in mind when configuring things!

So, without further ado, let's go ahead and install OpenLDAP's server (slapd).
# apt-get install slapd ldap-utils

You'll get a few prompts from debconf when you do this. remember that whatever gets entered as your DNS name will become the base DN in "dc=X,dc=Y" format.

If you're going to be using Samba as a DC for an Active Directory domain, you need to make sure that the DNS name and Organisation Name match your existing domain structure.

If not, then you can choose whatever you like. If you want your base DN to be O=X, instead of DC=X, then follow the optional steps below.

Enter an LDAP Administrator password of your choosing twice, and that should be all, unless you've changed debconf to low priority, where you'll get a lot more messages. Usually the defaults are sensible.

At this stage, slapd will start.

As far as this post goes, I'll leave it up to you to add users and groups accordingly, and set up PAM to use LDAP (although I might write a blog article on that as well).

For those who want an o= base DN:

  1. Stop the LDAP server: # service slapd stop
  2. Run the following command: # sed s_dc=X_o=X_ -i /etc/ldap/slap.d/cn=config/olcDatabase={1}hdb.ldif
    Remember to replace the Xs with the right values!
  3. Run # slapcat | sed s_dc=X_o=X_ | slapadd to rebase everything in your current directory.
  4. Start the LDAP server: # service slapd start

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer