Module interface
   Packet handling


   Using VSAs
   Installing on OSX

Mailing list...


Other software...

Installing OpenRADIUS on Mac OSX Server 10.2

Installing OpenRADIUS on Mac OSX Server 10.2

Version 0.2  Jan 9, 2003
Matt Richard
Franklin & Marshall College

0.  Introduction

    Mac OSX Server 10.2 (aka Jaguar) has built-in LDAP server functionality.
    It's not a real LDAP server, but instead it's an LDAP interface to the Mac
    OS Server's authentication system.  Jaguar uses NetInfo, which is a
    left-over from the NeXT days.  NetInfo was (and still is) a parallel to
    LDAP, and was based on X.500 just like LDAP.  But the implementation isn't
    quite compatible with LDAP.

    So Apple has written a set of API's called OpenDirectory, which is Apple's
    new way of handling directories and authentication between applications.
    Apple's LDAP installation is a front-end only, and it uses OpenDirectory
    API to access the NetInfo directory.  Ya got all that?

    The general idea is that you can use the same userid and password for your
    dialin server, proxy server,  vpn, email system, fileserver, cappuccino
    machine, or whatever.  And you only change your password it in one place!

    Perhaps someday, somebody (and probably not me!) will write a module for
    OpenRADIUS that uses the OpenDirectory API's directly.  That would be nice.
    But I haven't the time or the experience to do that right now.

    A RADIUS client is usually a server of some sort.  On my network, the
    dialin server and the VPN server are RADIUS clients.  This does confuse
    some folks, so I thought it would be best if I clarify that.

    For this installation, I am assuming that you have some experience with
    Mac OSX (and OSX Server), UNIX systems, and RADIUS.  Also, you should be
    logged into the computer with an administrator account, but not as root.
    This is the safest way to go...

    I am also assuming that you are installin OpenRADIUS on the same Mac OSX
    server that is running Apple's OpenLDAP and NetInfo services.  You could
    run OpenRADIUS and NetInfo on separate servers, but you will need to
    configure things accordingly.

    You should also have some experience with Mac OSX (and OSX Server) and

1.  Install Mac OSX 10.2 Server, using the following settings for
    Open Directory:

    1.1  I don't know if you need to use a permanent IP address, but I am 
         using one.

    1.2  Provide directory support to other computers.

    1.3  Enable LDAP support

    1.4  Password andd authentication will be provided to other systems.

    1.5  You won't need SMB, APOP or CRAM-MD5 authentication for OpenRADIUS.

    1.6  I also installed 10.2.2 updates.

2.  Install Developer tools.  I also installed the Aug 2002 Developer Tools

    Alternatively, you could probably build the OpenRADIUS tools on another
    system, then copy them over to your server.  Mac OS (desktop) 10.2.2 with
    Developer Tools should have all the necessary tools to do the job.

3.  Download OpenRADIUS 0.9.5.

    As of this writing, OpenRADIUS 0.9.5 hasn't yet been released.  0.9.5
    includes some updates for building the applications on Max OSX, so I would
    highly reccomend it.  For this install I am using
    openradius-pre0.9.5-1115.tgz. Get your download from

    [0.9.5 has been released now, as well as 0.9.6 -- EvB, 2003/04/27]

4.  Build OpenRADIUS.  The OSX makefile has ldap support enabled by default.

    4.1  Unpack your OpenRADIUS download.  If you used Internet Explorer, it
         may already be unpacked.

    4.2  Open Terminal, and change directory to the OpenRadius code folder.  
	 In Mac OSX, the easiest way is to type "cd "  (with a space after it)
	 and then drag the folder into the terminal window.  This will append
	 the directory name to the cd command.  now hit enter.

    4.3  edit (I use vi, you could use bbedit or whatever)

    4.3  type  "sudo make -f Makefile.osx install" and enter your 
         administrator password when requested.  ** NOTE A **

5.  Setup Apple's OpenLDAP to use RADIUS schema.

    5.1 Open terminal, if it's not open already.  Login as superuser by typing
	"su" at the terminal prompt.  This password is probably the same as
	your administrator password, unless you have changed it.

    5.1  copy the openradius.schema file into the system's LDAP schea folder:
	 From the openRADIUS folder, type "cp modules/radldap/openradius.schema

    5.2  edit /etc/openldap/slapd.conf  (for example, vi
	 /etc/openldap/slapd.conf) and add "include
	 etc/openldap/schema/openradius.schema" near the other include

    5.3  edit /etc/openldap/schema/netinfo.schema and add "openradiusUser"
	 (that capitalization is important!) to the end of line containing
	 "objectclassmap /users".  It's proably the first line that doesn't
	 start with a "#" character.

	 If you use vi, do "sudo vi /etc/openldap/schema/netinfo.schema" and
	 when you  are done, you have to force-save it, since it's read-only.
	 Type ":w!" and ":q" to overide the permissions.

    5.4  Reboot the server.

6.  Register your RADIUS clients in the NetInfo database

    6.1  Open NetInfo Manager.

    6.2  Open the root domain.  Click on the "open parent" button.  The root
	 domain will open in another window.  It's title should be something
	 like "network @ servername - /".  You want to make all your changes in
	 this new window.

    6.3  Click on the lock to make changes.  Here you need the root userid and
	 password.  The window may say "administrator" but it really wants root
	 - any system administrator won't do.

    6.4  Make a new directory at the root of the root domain (click on the "+"
         folder).  Change the value of the "name" property to "openRadius"
         (double-click on "new_directory" to change it).  Click on another
         directory to get the "save" prompt, and click Yes again.

    6.5  Inside openradius, make another directory with the following
	 properties.  Use the  New Property menu item from the Directory menu
	 to create new properties.

         name                (ip address of RADIUS client, such as
         objectClass         openradiusClient
         openradiusSecret    (your RADIUS secret)

    6.6  Leave the Netinfo Manager open.  You will need it again in step 7

7.  Setup some userids

    7.1  Open Workgroup Manager.  Sign in with your administrator userid and

    7.2  Open the root domain.  At the bottom of the window, set the "At:" to
         be /netinfo/root.  This is your root netinfo domain, not the local
         netinfo domain.

    7.3  Create an end-user account.  Click "New Record".  Give it a name, a
	 short name and a password (my example uses raduser and radpass).
	 Nothing else here matters.  This is the user account that you want
	 to authenticate.  This user will be allowed to use the services of
	 the server / RADIUS client you setup in step 6.

    7.5  Create a management account.  Click "New Record".  Give it a name, a
	 short name, and password (my example uses ldapadmin and ldappass).
	 This user account will be used to get a RADIUS client
	 configuration from the NetInfo database.  This will make more
	 sense when you configure OpenRADIUS.

    7.6  Close Workgroup Manager, go back to NetInfo Manager, and open up
	 /users and open the new user from step 7.3 (not the management

    7.7  Create a new directory inside this userid.  I called it openRadius,
         but you can call it anything you want.   ** See Note B **

    7.8  Create a RADIUS attribute as a property in this folder.  Use the
	 Directory / New Property menu item to create new properties.  If
	 you just need to authenticate, then you probably just need a
	 property "radiusServiceType" with a value "authenticate-only". **
	 see Note C **

    7.9  Close netinfo manager.  We're done with it for now.

8.  Setup OpenRADIUS to use OSX Server's LDAP interface

    8.1  Open up a termial window, and do the following:

	 login as the user you used to install OpenRADIUS, in step 4.3.  If
	 it's root, just type "su", hit enter, and enter the superuser
	 password. If it's joe, then type "su joe" and enter joe's password
	 if prompted.

         cd /usr/local/etc/openradius
         cp behaviour.sample-ldap-authbind behaviour
         cp configuration.sample-ldap-authbind configuration

    8.2  Edit the behaviour file (use vi, pico. or whatever) as follows:

	 change the line containing " Ldap(str = "  to match your network.
	 For example, at, ours looks like this:

            Ldap(str = "cn=openRadius,dc=fandm,dc=edu",

         change the line containig " REQ:User-Name := " to match your network.
         For example, at, ours looks like this:

            REQ:User-Name := "uid=" . User-Name .  ",cn=users,dc=fandm,dc=edu,

    8.3  Edit the configuration file to match your network.  Look for the
         sections containing " interface(name="Ldap", ".  Set the "uid=" to 
	 the account name you setup in step 7.4, and set the -s option to
	 that password.  Set the -dd option to the ip address of your Mac
	 OSX server.  ** See Note D ** My example looks like this:

         interface (name="Ldap", sendattr="str",
		    prog="radldap -b uid=ldapadmin,cn=users,dc=fandm,dc=edu" .
				" -s ldappass -dd",
		    prog="radldap -b uid=ldapadmin,cn=users,dc=fandm,dc=edu" .
				" -s ldappass -dd",

         and for the next section:

         interface (name="Ldapusers",
		    prog="radldap -d -dd",
		    prog="radldap -d -dd",

9.  Start the OpenRADIUS daemon

    9.1  At a terminal prompt, type this line and hit enter:

            /usr/local/sbin/radiusd -dall -b

    9.2  Go try an authentication attempt with your end-user account, and
	 watch the logging output.   Depending on what device you are
	 using, the RADIUS client may be requesting RADIUS atributes that
	 you have not yet configured.  Check through your (router / vpn
	 server / dialin server) documentation to see what other attributes
	 might be needed.

	 Check if the attributes you want to add are already listed in the
	 LDAP-to-RADIUS translation map in file
	 /usr/local/etc/openradius/modules/radldap.attrmap If so, use the
	 NetInfo manager to add the attribute with the desired value to the
	 user object and you're done. You don't need to restart OpenRADIUS,
	 all changes are picked up automatically.

	 If the attribute is not already listed, say you want to use
	 Callback-Number, then invent a corresponding LDAP attribute for
	 it, such as radiusCallbackNumber.

	 The type of this attribute is "string", and in that case there is
	 no conversion needed between NetInfo/LDAP and RADIUS; OpenRADIUS'
	 LDAP module can put the full contents of radiusCallbackNumber as
	 given by LDAP directly in a real RADIUS Callback-Number attribute.

	 The RADIUS counterpart for the LDAP attributes are specified in
	 radldap.attrmap in numeric form, using three values: space,
	 vendor, number. Look up these values in the dictionary and its

	 For Callback-Number, these values are 2 (RAD-ATR), 0 (None), 19
	 (Callback-Number). So, the line you need to add to radldap.attrmap

            radiusCallbackNumber		2	0	19

	 After doing that with your favourite text editor, save it and kill
	 the 'radldap localhost' processes you have running. You don't need
	 to restart OpenRADIUS itself, it will restart the LDAP modules
	 automatically, and they will pick up the changes in

10.  Configure openRADIUS to start when the system starts


A.   You need to have root priveliges to install OpenRADIUS on Mac OSX.
     You could [should, -- EvB] run OpenRADIUS as a different user, but you
     still need root priveliges to do the initial installation.  Once
     OpenRADIUS is installed, you could set the file permissions and
     ownerships to allow a differnet user.

B.   When authenticating a user, OpenRADIUS does a subtree search with a DN of
     the userid in question.  The search specifies a list of attributes that
     should be returned if they are found - the RADIUS attruibutes.  The
     response should include any RADIUS attributes that exist in that user's

     There is a bug with Apple's implementation of {OpenLDAP / OpenDirectory /
     NetInfo}.  If you do an LDAP search with a sub-tree scope, and specify a
     staring DN, Apple's implementation will not return that DN as a search
     result, but it will return objects in a subdirectory of that DN. For
     example, the command:

     ldapsearch -P2 -x -h localhost -b "uid=matt,cn=users,dc=fandm,dc=edu" \

     should return a list of the RADIUS attributes for the user "matt".  But it
     gives no results! (unless some user has a sub-directory). I have filed
     this bug with Apple, in the Apple Bug Reporter, bug # 3084511.

C.   This is where you configure all the RADIUS attributes for each person.
     The required attributes and their values are beyond the scope of this
     document, however.

D.   I had problems using the localhost / loopback address.  I think this
     might be related to an ipv6 problem with Apple's implementation of
     OpenLDAP, but I just don't know.  That's just a guess.  If you use
     localhost, like the OpenRADIUS documentation states, it probably won't
     work.  If you use your server's numerical IP address [or,
     the ipv4 loopback address, if ipv6 is the culprit -- EvB], it should
     work just fine.


Generated on Sun Mar 25 00:43:52 2007 by /