freeRADIUS 2.1.8 on SLES 10 with eDirectory Integration



  • download the bzip tarball from to /usr/src/packages/SOURCE/
  • unpack the freeradius.spec file from the tarball to /usr/src/packages/SPECS/
  • run “rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec” and use yast to satisfy any dependencies.

Packages can be found in /usr/src/packages/RPMS/

rpm -ivh freeradius-server-libs-2.1.8-0.x86_64.rpm
rpm -ivh freeradius-server-2.1.8-0.x86_64.rpm

again, use yast to satisfy any dependencies.


change perms in /etc/raddb/certs so that the radiusd group has enough access for `radiusd -X` to start

In short, all you really need to do is:

  • configure the ldap module
    !!! note: you need to bind with a user that is authorized for password retrieval in your universal password policy
    !!! export your trees CA self signed cert to /etc/raddb/certs/rootder.b64
  • uncomment "ldap" in the authorize section of /etc/raddb/sites-enabled/inner-tunnel
    !!! note that any ldap stuff in the post auth section was causing segfaults in 2.1.8 during authentication.
  • change default_eap_type from md5 to peap in eap.conf
  • setup a client in clients.conf

ldap {

server = "servername"
identity = "cn=admin,o=org"
password = thepassword
basedn = "o=org"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
port = 636
tls_mode = yes
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
#get this file from exporting the edir CA self signed cert
cacertfile = /etc/raddb/certs/rootder.b64
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = nspmPassword
edir_account_policy_check = yes
# I allow everyone in my eDir to connect so I don't use the imanager / dial-in access stuff.
#This needs to be a “yes” if you do
access_attr_used_for_allow = no

set_auth_type = no

eap {
default_eap_type = peap
... # the rest of this file can stay as default

uncomment "ldap" in the authorize section
!!! note, any ldap config in the post-auth section is causing segfaults in version 2.1.8
!!!Once this bug is fixed you will want to uncomment ldap in the post-auth section too

client {
secret = somesecretpasswd
shortname = Wireless_AP

Now you should be able to turn on the freeradius with `radiusd -X` and watch some debug messages.


How To-Best Practice
Comment List
  • I found that a work around for the segmentation faults was to revert to an older version of the rlm_ldap libraries found in /usr/lib/freeradius/.

    I had previously installed freeradius version 2.1.3, so I just replaced the lib files from version 2.1.8 with those from version 2.1.3 (I found them in /usr/src/packages/BUILD/freeradius-server-2.1.3/src/modules/rlm_ldap/.libs/).

    Files I replaced:
    rlm_ldap-2.1.8 replaced with:
    rlm_ldap.a replaced with: rlm_ldap.a (from 2.1.3) -> replaced with: --> rlm_ldap-2.1.8

    If you have a more recent version of freeradius (like 2.1.7), I think that the libs from this version would work too...this was just what I had easy access to.

    Let me know if you need these files.

  • I cannot get this to work for me. I know Im doing something wrong can you explain how you replaced the modules? When I try I get "Failed to link module 'rlm_ldap' : cannot open shared object file: No such object file or directory"

Comment Children
No Data