Configuring RADIUS for Bugzilla on Mac OS X Server
Background
Bugzilla is a very popular open-source issue tracking system. However, setting up all the user accounts can be a tedious chore, particularly for large user bases. In addition, there are additional user-management headaches associated with maintaining another list of user names, password issues, and access changes due to staff turnover.
Fortunately, Bugzilla is capable of integrating with the RADIUS service available on the Mac OS X Server. RADIUS is a remote authentication and authorization service which can handle the user authentication requests for Bugzilla and permit users to simply sign on with their standard account name and passwords. This relieves the administrator from having to create and maintain another set of accounts and allows the users to simply use their standard account name and password.
It should be noted that the implementation of the RADIUS service on the Mac OS X Server is the open-source FreeRADIUS. More configuration information and usage can be found on the projects web site.
Prior installation of Bugzilla is assumed for these directions.
Enabling the RADIUS Service
If the RADIUS service has not been enabled on the server, then it is necessary to activate it. Do not start the service during this step.
- Open the Server Admin application and connect to the server hosting the RADIUS service.
- Select the server in the “Servers” pane and then click on the “Settings” icon.
- Click on the “Services” tab and enable the “RADIUS” service by clicking on the appropriate checkbox.
- Save the new configuration by clicking on the “Save” button.
- Select the “RADIUS” service now available in the “Servers” pane.
- Select the “Settings” icon and select a security certificate to use for the service. A self-signed certificate can easily be created using the “Manage Certificates” option in the drop-down menu. Regardless, the certificate used for this service should not have a Private Key Passphrase set.
- Save the new configuration by clicking on the “Save” button.
Configuring the RADIUS service
The stock RADIUS service on Mac OS X (Leopard) has been configured to work only with Apple’s Airport and Airport Express WiFi systems. In order to extend its functionality to provide service to other types of systems, the configuration file must be edited and a special entry must be created.
- Open the Server Admin application and connect to the server hosting the RADIUS service.
- Select the RADIUS service for configuration. If the service is already running, then click on the “Stop RADIUS” button to stop it.
- Click on the “Base Stations” icon and then the “Add…” button to create a new entry. The most important elements to set correctly are the Type and IP Address. Type must be “other” and the IP Address should be the address of the Bugzilla server.
Name: Bugzilla
Type: other
IP Address: 192.168.1.2
Shared Secret: ********
Verify: ******** - Make a backup copy of the
/etc/raddb/usersconfiguration file for safety.sudo cp /etc/raddb/users /etc/raddb/users.orig - Edit the
/etc/raddb/usersconfiguration file to alter the default authentication type to use the Open Directory service instead of the local account database. The line in question should be approximately 153 lines down in the file (as of 10.5.8).Replace:
DEFAULT Auth-Type = System
with:DEFAULT Auth-Type = opendirectory - Return to the Server Admin application and start the RADIUS service.
Testing the RADIUS service
In order to verify the RADIUS service is working properly it should be tested using the included test tool radtest. The general format for testing the RADIUS service is:
radtest user password radius-server nas-port-number shared-secret
user is the username to be tested.
password is the user’s password. Note that this is given in cleartext and so may be considered a security risk. It is suggested that you change the password immediately after concluding the test.
radius-server is the hostname (or IP address) of the server hosting the RADIUS service.
nas-port-number is the value of the NAS-Port attribute. For testing purposes, it does not matter what value is provided as long as it is between 0 and 2^31.
shared-secret is the shared secret established when the service was configured.
The following is an example usage showing the result of a successful test:
$ radtest groucho RufusTFirefly radius.example.com 10 SecretWord
Sending Access-Request of id 203 to 192.168.1.2 port 1812
User-Name = "groucho"
User-Password = "RufusTFirefly"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 192.168.1.2:1812, id=203, length=20
Configuring Bugzilla for RADIUS authentication
RADIUS configuration requires administrative access to the Bugzilla installation. It cannot be performed as a “normal” user of the system. It is best practice to verify the RADIUS service is working properly before attempting to configure a dependent service.
- Install the Authen::Radius perl module (if not already installed as part of the initial setup).
sudo cpan -i Authen::Radius - Login as administrator to Bugzilla.
- Click on the “Administration” link.
- Click on the “Parameters” link.
- Click on the “RADIUS” link
- Fill in the information for all the RADIUS fields. The server is the hostname where the RADIUS service is running. The secret it the shared secret established when the service was configured. The NAS IP is the address where the Bugzilla service is running. The email suffix is appended to the username to generate the appropriate email address for each user.
RADIUS_server: radius.example.com
RADIUS_secret: ********
RADIUS_NAS_IP: 192.168.1.2
RADIUS_email_suffix: @example.com - Click on the “Save Changes” button to save the new configuration information.
- Click on the “User Authentication” link.
- Navigate to the
user_verify_classand activate RADIUS as a valid authentication mechanism. It is strongly suggested that you leave the DB method also activated. - Click on the “Save Changes” button to save the new configuration information.
Related Links