FreeRADIUS InkBridge

LDAP

FreeRADIUS can integrate with an LDAP server to handle authentication, authorization, and accounting tasks. The tutorials that follow are intended for readers who already understand LDAP concepts and terminology. If you are new to LDAP or unsure about how LDAP directories work, review the basic concepts before proceeding. The FreeRADIUS documentation doesn’t cover any foundational LDAP topics.

To use LDAP, an existing LDAP server must be and tested using the ldapsearch tool.

In an Microsoft Active Directory environment you should use rlm_winbind for authentication, and rlm_ldap for group membership checks as described in authorization section. The winbind protocol does not support the full range of group checks that is possible with LDAP.

Sections in this guide

These sections must be completed in order for the examples later in the tutorial to operate correctly. For additional features and configuration items see the mods-available/ldap page for more details about rlm_ldap module supports.

Install and Configure OpenLDAP

In order to use LDAP, there must be an existing LDAP server provisioned with users, groups, and possibly clients. We highly recommend using OpenLDAP for both its flexibility and performance.

If there is not an existing local LDAP server, then it is possible to provision one using a docker image, or alternatively, if you’re using a Debian or RHEL based distribution, using the OpenLDAP LTB RPM or DEB packages.

For testing purposes it’s recommended to install the LDAP instances on the same machine (or inter-container network in the case of docker) as the RADIUS server to avoid any potential networking issues. This recommendation applies equally to high load production environments, or where a high level of redundancy is required.

Test with Ldapsearch

Once the LDAP server is provisioned and available, test the server using the command-line ldapsearch tool. If the ldapsearch tests fail, any LDAP server configuration issues must be fixed before proceeding with the FreeRADIUS integration. This step ensures that authentication and data retrieval function correctly when FreeRADIUS queries the LDAP server.

Base Configuration

Once the ldapsearch validation tests pass, the next step is to Configure the LDAP Module. All basic settings required for all functions of the LDAP module are detailed here.

OpenLDAP configuration examples show how to install appropriate schemas and populate the server with test data will be provided in each section.

Configure Authorization

Covers authorization by group, enabling/disabling accounts using attributes, LDAP attribute to FreeRADIUS attribute mappings, and LDAP profiles.

Configure Authentication

Examples of configuring different methods of LDAP based authentication (search, bind, edir).

Configure Accounting

Examples of updating objects in LDAP after authentication completes, or when accounting data is received.