Installing OpenRADIUS on Mac OSX Server 10.2
Version 0.2 Jan 9, 2003
Matt Richard
Franklin & Marshall College
0. Introduction
Mac OSX Server 10.2 (aka Jaguar) has built-in LDAP server functionality.
It's not a real LDAP server, but instead it's an LDAP interface to the Mac
OS Server's authentication system. Jaguar uses NetInfo, which is a
left-over from the NeXT days. NetInfo was (and still is) a parallel to
LDAP, and was based on X.500 just like LDAP. But the implementation isn't
quite compatible with LDAP.
So Apple has written a set of API's called OpenDirectory, which is Apple's
new way of handling directories and authentication between applications.
Apple's LDAP installation is a front-end only, and it uses OpenDirectory
API to access the NetInfo directory. Ya got all that?
The general idea is that you can use the same userid and password for your
dialin server, proxy server, vpn, email system, fileserver, cappuccino
machine, or whatever. And you only change your password it in one place!
Perhaps someday, somebody (and probably not me!) will write a module for
OpenRADIUS that uses the OpenDirectory API's directly. That would be nice.
But I haven't the time or the experience to do that right now.
A RADIUS client is usually a server of some sort. On my network, the
dialin server and the VPN server are RADIUS clients. This does confuse
some folks, so I thought it would be best if I clarify that.
For this installation, I am assuming that you have some experience with
Mac OSX (and OSX Server), UNIX systems, and RADIUS. Also, you should be
logged into the computer with an administrator account, but not as root.
This is the safest way to go...
I am also assuming that you are installin OpenRADIUS on the same Mac OSX
server that is running Apple's OpenLDAP and NetInfo services. You could
run OpenRADIUS and NetInfo on separate servers, but you will need to
configure things accordingly.
You should also have some experience with Mac OSX (and OSX Server) and
Unix.
1. Install Mac OSX 10.2 Server, using the following settings for
Open Directory:
1.1 I don't know if you need to use a permanent IP address, but I am
using one.
1.2 Provide directory support to other computers.
1.3 Enable LDAP support
1.4 Password andd authentication will be provided to other systems.
1.5 You won't need SMB, APOP or CRAM-MD5 authentication for OpenRADIUS.
1.6 I also installed 10.2.2 updates.
2. Install Developer tools. I also installed the Aug 2002 Developer Tools
Update.
Alternatively, you could probably build the OpenRADIUS tools on another
system, then copy them over to your server. Mac OS (desktop) 10.2.2 with
Developer Tools should have all the necessary tools to do the job.
3. Download OpenRADIUS 0.9.5.
As of this writing, OpenRADIUS 0.9.5 hasn't yet been released. 0.9.5
includes some updates for building the applications on Max OSX, so I would
highly reccomend it. For this install I am using
openradius-pre0.9.5-1115.tgz. Get your download from
http://www.xs4all.nl/~evbergen/openradius/
[0.9.5 has been released now, as well as 0.9.6 -- EvB, 2003/04/27]
4. Build OpenRADIUS. The OSX makefile has ldap support enabled by default.
4.1 Unpack your OpenRADIUS download. If you used Internet Explorer, it
may already be unpacked.
4.2 Open Terminal, and change directory to the OpenRadius code folder.
In Mac OSX, the easiest way is to type "cd " (with a space after it)
and then drag the folder into the terminal window. This will append
the directory name to the cd command. now hit enter.
4.3 edit (I use vi, you could use bbedit or whatever)
4.3 type "sudo make -f Makefile.osx install" and enter your
administrator password when requested. ** NOTE A **
5. Setup Apple's OpenLDAP to use RADIUS schema.
5.1 Open terminal, if it's not open already. Login as superuser by typing
"su" at the terminal prompt. This password is probably the same as
your administrator password, unless you have changed it.
5.1 copy the openradius.schema file into the system's LDAP schea folder:
From the openRADIUS folder, type "cp modules/radldap/openradius.schema
/etc/openldap/schema/"
5.2 edit /etc/openldap/slapd.conf (for example, vi
/etc/openldap/slapd.conf) and add "include
etc/openldap/schema/openradius.schema" near the other include
statements.
5.3 edit /etc/openldap/schema/netinfo.schema and add "openradiusUser"
(that capitalization is important!) to the end of line containing
"objectclassmap /users". It's proably the first line that doesn't
start with a "#" character.
If you use vi, do "sudo vi /etc/openldap/schema/netinfo.schema" and
when you are done, you have to force-save it, since it's read-only.
Type ":w!" and ":q" to overide the permissions.
5.4 Reboot the server.
6. Register your RADIUS clients in the NetInfo database
6.1 Open NetInfo Manager.
6.2 Open the root domain. Click on the "open parent" button. The root
domain will open in another window. It's title should be something
like "network @ servername - /". You want to make all your changes in
this new window.
6.3 Click on the lock to make changes. Here you need the root userid and
password. The window may say "administrator" but it really wants root
- any system administrator won't do.
6.4 Make a new directory at the root of the root domain (click on the "+"
folder). Change the value of the "name" property to "openRadius"
(double-click on "new_directory" to change it). Click on another
directory to get the "save" prompt, and click Yes again.
6.5 Inside openradius, make another directory with the following
properties. Use the New Property menu item from the Directory menu
to create new properties.
name (ip address of RADIUS client, such as 10.20.30.40)
objectClass openradiusClient
openradiusSecret (your RADIUS secret)
6.6 Leave the Netinfo Manager open. You will need it again in step 7
7. Setup some userids
7.1 Open Workgroup Manager. Sign in with your administrator userid and
password.
7.2 Open the root domain. At the bottom of the window, set the "At:" to
be /netinfo/root. This is your root netinfo domain, not the local
netinfo domain.
7.3 Create an end-user account. Click "New Record". Give it a name, a
short name and a password (my example uses raduser and radpass).
Nothing else here matters. This is the user account that you want
to authenticate. This user will be allowed to use the services of
the server / RADIUS client you setup in step 6.
7.5 Create a management account. Click "New Record". Give it a name, a
short name, and password (my example uses ldapadmin and ldappass).
This user account will be used to get a RADIUS client
configuration from the NetInfo database. This will make more
sense when you configure OpenRADIUS.
7.6 Close Workgroup Manager, go back to NetInfo Manager, and open up
/users and open the new user from step 7.3 (not the management
account).
7.7 Create a new directory inside this userid. I called it openRadius,
but you can call it anything you want. ** See Note B **
7.8 Create a RADIUS attribute as a property in this folder. Use the
Directory / New Property menu item to create new properties. If
you just need to authenticate, then you probably just need a
property "radiusServiceType" with a value "authenticate-only". **
see Note C **
7.9 Close netinfo manager. We're done with it for now.
8. Setup OpenRADIUS to use OSX Server's LDAP interface
8.1 Open up a termial window, and do the following:
login as the user you used to install OpenRADIUS, in step 4.3. If
it's root, just type "su", hit enter, and enter the superuser
password. If it's joe, then type "su joe" and enter joe's password
if prompted.
cd /usr/local/etc/openradius
cp behaviour.sample-ldap-authbind behaviour
cp configuration.sample-ldap-authbind configuration
8.2 Edit the behaviour file (use vi, pico. or whatever) as follows:
change the line containing " Ldap(str = " to match your network.
For example, at fandm.edu, ours looks like this:
Ldap(str = "cn=openRadius,dc=fandm,dc=edu",
change the line containig " REQ:User-Name := " to match your network.
For example, at fandm.edu, ours looks like this:
REQ:User-Name := "uid=" . User-Name . ",cn=users,dc=fandm,dc=edu,
8.3 Edit the configuration file to match your network. Look for the
sections containing " interface(name="Ldap", ". Set the "uid=" to
the account name you setup in step 7.4, and set the -s option to
that password. Set the -dd option to the ip address of your Mac
OSX server. ** See Note D ** My example looks like this:
interface (name="Ldap", sendattr="str",
prog="radldap -b uid=ldapadmin,cn=users,dc=fandm,dc=edu" .
" -s ldappass -dd 10.10.1.5",
prog="radldap -b uid=ldapadmin,cn=users,dc=fandm,dc=edu" .
" -s ldappass -dd 10.10.1.5",
timeout=20),
and for the next section:
interface (name="Ldapusers",
sendattr="User-Name",
sendattr="User-Password",
sendattr="str",
prog="radldap -d -dd 10.10.1.5",
prog="radldap -d -dd 10.10.1.5",
timeout=20),
9. Start the OpenRADIUS daemon
9.1 At a terminal prompt, type this line and hit enter:
/usr/local/sbin/radiusd -dall -b
9.2 Go try an authentication attempt with your end-user account, and
watch the logging output. Depending on what device you are
using, the RADIUS client may be requesting RADIUS atributes that
you have not yet configured. Check through your (router / vpn
server / dialin server) documentation to see what other attributes
might be needed.
Check if the attributes you want to add are already listed in the
LDAP-to-RADIUS translation map in file
/usr/local/etc/openradius/modules/radldap.attrmap If so, use the
NetInfo manager to add the attribute with the desired value to the
user object and you're done. You don't need to restart OpenRADIUS,
all changes are picked up automatically.
If the attribute is not already listed, say you want to use
Callback-Number, then invent a corresponding LDAP attribute for
it, such as radiusCallbackNumber.
The type of this attribute is "string", and in that case there is
no conversion needed between NetInfo/LDAP and RADIUS; OpenRADIUS'
LDAP module can put the full contents of radiusCallbackNumber as
given by LDAP directly in a real RADIUS Callback-Number attribute.
The RADIUS counterpart for the LDAP attributes are specified in
radldap.attrmap in numeric form, using three values: space,
vendor, number. Look up these values in the dictionary and its
subdictionaries.
For Callback-Number, these values are 2 (RAD-ATR), 0 (None), 19
(Callback-Number). So, the line you need to add to radldap.attrmap
is:
radiusCallbackNumber 2 0 19
After doing that with your favourite text editor, save it and kill
the 'radldap localhost' processes you have running. You don't need
to restart OpenRADIUS itself, it will restart the LDAP modules
automatically, and they will pick up the changes in
radldap.attrmap.
10. Configure openRADIUS to start when the system starts
Notes:
A. You need to have root priveliges to install OpenRADIUS on Mac OSX.
You could [should, -- EvB] run OpenRADIUS as a different user, but you
still need root priveliges to do the initial installation. Once
OpenRADIUS is installed, you could set the file permissions and
ownerships to allow a differnet user.
B. When authenticating a user, OpenRADIUS does a subtree search with a DN of
the userid in question. The search specifies a list of attributes that
should be returned if they are found - the RADIUS attruibutes. The
response should include any RADIUS attributes that exist in that user's
directory.
There is a bug with Apple's implementation of {OpenLDAP / OpenDirectory /
NetInfo}. If you do an LDAP search with a sub-tree scope, and specify a
staring DN, Apple's implementation will not return that DN as a search
result, but it will return objects in a subdirectory of that DN. For
example, the command:
ldapsearch -P2 -x -h localhost -b "uid=matt,cn=users,dc=fandm,dc=edu" \
"(objectclass=*)"
should return a list of the RADIUS attributes for the user "matt". But it
gives no results! (unless some user has a sub-directory). I have filed
this bug with Apple, in the Apple Bug Reporter, bug # 3084511.
C. This is where you configure all the RADIUS attributes for each person.
The required attributes and their values are beyond the scope of this
document, however.
D. I had problems using the localhost / loopback address. I think this
might be related to an ipv6 problem with Apple's implementation of
OpenLDAP, but I just don't know. That's just a guess. If you use
localhost, like the OpenRADIUS documentation states, it probably won't
work. If you use your server's numerical IP address [or 127.0.0.1,
the ipv4 loopback address, if ipv6 is the culprit -- EvB], it should
work just fine.