Installation - LDAP
Specific LDAP server type instructions (ie. OpenLDAP, Novell eDirectory, Microsoft Active Directory, etc) will follow once someone provides them however the base requirements and required schema files can be found below.
Requirements
The LDAP server must contain user object information (the authentication could be handled with another mechanism however that means an adjustment to your FreeRADIUS configuration) and in the objects attributes relating to the 'username', 'email address' and 'name' need to be available. LanWarden will slip all it's objects into 'ou=LanWarden,<base>' and should not need to touch anything else other than to make queries relating to user details
Two accounts to be used by the system are needed plus of course an administrative account for your own amusement (and initial priming of the database).
What Needs to be Done?
You install the following two LDAP schema's:
You also need two LanWarden related accounts in addition to an adminstrative "anything goes" superuser account
- the RADIUS server needs an account with read-only access to:
- ou=Hosts,ou=LanWarden,...
- ou=Networks,ou=LanWarden,...
- perform searches for users based on 'cn=<username>' or 'uid=<username>' so the 'dn' can be fetched
- optionally: if you want to avoid binding to check passwords and/or support non-plaintext passwords then access to read the password attribute field for the user object (for example in eDirectory under it's 'Universal Passwords' the attribute is called 'nspmPassword') will also be required
- the scripts used need an admin-esque account that has read-write access to:
- ou=Hosts,ou=LanWarden,...
- ou=Networks,ou=LanWarden,...
- ou=DHCP,ou=LanWarden,...
- perform searches for users and extract the 'mail', 'givenName' and 'sn' attributes
The "anything goes" account is used by the 'priming' script to install a functional 'ou=LanWarden' setup and also for yourself to manually tweak objects and their attributes.
Attributes Needed
As everyones LDAP directory is different LanWarden provides a way to tell it how to find the data it is after (recommendations on what you should be indexing too are made, everyone already indexes on 'objectClass', right?): name::
a friendly name to refer to them in person
mail::
the contact email address for the user
base::
the LDAP base that searches should be done from
user::
- base: the base where the user objects live
- filter: the filter you use to select user objects, typically just a pointer to a particular objectClass
- attr [index]: the attribute that contains the user@realm for the user
group::
- base: the base where the group objects live
- filter: the filter you use to select group objects, typically just a pointer to a particular objectClass ('groupOfNames' for eaxmple)
- attr [index]: the attribute that contains a list of who is a member (typically 'member')
All the above goes into the 'config' file.
config file chunk
<db>
[snipped]
<ldap>
name = fullName
mail = mail
base = dc=example,dc=com
<user>
base = ou=Accounts,dc=example,dc=com
filter = objectClass=eduPerson
attr = eduPersonPrincipalName
</user>
<group>
base = ou=Groups,dc=example,dc=com
filter = objectClass=groupOfNames
attr = member
</group>
<servers>
# an example LDAP server entry, you can have multiple ones
<server>
# ldap, ldaps and ldapi are all valid here
uri = ldap://ldap-directory.soas.ac.uk
# if you use 'tls' you must have 'cafile' and/or 'capath' defined too
# N.B. do not mix tls and 'ldaps://' though
tls = yes
cafile = /etc/ssl/certs/ca-certificates.crt
# expects that all your certificates have been:
# ln -s ca.pem `openssl x509 -hash -noout < ca.pem`.0
capath = /etc/ssl/certs/local
user = cn=USER,ou=People,dc=example,dc=com
pass = PASSWORD
</server>
</servers>
</ldap>
[snipped]
</db>
