您的位置:首页 > 运维架构 > Linux

CentOS 7 部署OpenLDAP+FreeRadius

2020-09-01 12:51 1971 查看

一、pre-installer ldap

1.1、实验环境

系统:CentOS 7
Openldap:2.4.44
Freeradius:3.0.13
Ldapadmin:1.8.3(win64)
Phpldapadmin:1.2.3

1.2、系统优化

关闭防火墙:

systemctl stop firewalld.service && systemctl disable firewalld.service

关闭NetworkManager:

systemctl stop NetworkManager && systemctl disable NetworkManager

关闭selinux:

sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config
reboot

二、Installer and basic configuration ldap

2.1、yum安装openldap

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

2.2、启动服务

systemctl start slapd
systemctl enable slapd

2.3、创建LDAP根密码

LDAP的管理员根密码,使用slappasswd命令生成,用于整个安装过程

[root@ldap ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi

2.4、配置LDAP服务

2.4.1、查看初始配置文件

/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

2.4.2、创建新配置文件

可以在任意目录下创建db.ldif配置文件,此处在/opt/alex/目录下创建此配置文件

mkdir -pv /opt/alex
vim /opt/alex/db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=alex,dc=localhost

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=alex,dc=localhost

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi

Ps:配置文件需修改字段
olcSuffix:保存域信息
olcRootDN:根的唯一标识名,根管理员在此节点下管理
olcRootPW:管理员根密码,填写2.3生成的根密码在此处

2.4.3、使用ldapmodify命令生效新db配置

ldapmodify命令可在运行环境中直接修改配置文件并且不需要重启就生效的命令,具体请看ldapmodify官方使用文档。

ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/db.ldif

执行成功后会打印出三次修改的条目,如下图

2.4.4、创建新的monitor文件

vim /opt/alex/monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager ,dc=alex,dc=localhost"

2.4.5、使用ldapmodify命令生效新monitor配置

ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/monitor.ldif

2.4.6、创建ldap基础库

这里创建的是一个基础库,用于保存数据。安装ldap后会有一个example配置,需要我们复制一份配置文件并赋予它所有权限。

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*

2.4.7、增加数据库中的schemas

schemas就是数据库表的定义文件,相当于关系数据库中的表定义。当然稍有区别。具体可以参考文档说明:https://ldap.com/understanding-ldap-schema/

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

2.4.8、创建base.ldif,在库中增加管理域下的内容

vim /opt/alex/base.ldif
dn: dc=alex,dc=localhost
dc: alex
objectClass: top
objectClass: domain

dn: cn=Manager ,dc=alex,dc=localhost
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

dn: ou=People,dc=alex,dc=localhost
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=alex,dc=localhost
objectClass: organizationalUnit
ou: Group

2.4.9、添加base配置文件

ldapadd -x -W -D "cn=Manager,dc=alex,dc=localhost" -f /opt/alex/base.ldif

需输入2.3输入的密码

2.4.10、测试配置验证

slaptest -u

三、LDAP Admin

3.1、下载对应客户端版本

官网:http://www.ldapadmin.org/download/index.html

3.2、使用

3.2.1、登录

3.2.2、创建用户


3.2.3、为用户设置密码


四、phpldapadmin

4.1、安装httpd

[root@ldap ~]# yum install -y httpd
[root@ldap ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_bak
[root@ldap ~]# cp /etc/httpd/conf/httpd.conf{,.bak}
[root@ldap ~]# vim /etc/httpd/conf/httpd.conf
95行下面加一行 ServerName www.alex.cn
152行 AllowOverride All
165行 DirectoryIndex index.html index.php index.cgi
最后加入
ServerTokens Prod
KeepAlive On
[root@ldap ~]# systemctl start httpd
[root@ldap ~]# systemctl enable httpd.service

4.2、安装php

4.2.1、配置阿里的epel源

wget -O /etc/yum.repos.d/epel7.repo https://mirrors.aliyun.com/repo/epel-7.repo
yum clean all&& yum makecache

4.2.2、安装并配置phpldapadmin

yum install php php-mbstring php-pear -y
systemctl restart httpd
yum --enablerepo=epel -y install phpldapadmin

vim /etc/phpldapadmin/config.php
397行取消注释,398行注释


vim /etc/httpd/conf.d/phpldapadmin.conf
12行添加网段信息

systemctl restart httpd

4.2.3、访问界面

浏览器访问http://192.168.236.30/ldapadmin/ #替换为ldap机器的ip


Ps:登录DN为2.4.2中的olcRootDN值,密码为2.3中创建的根密码

五、Installer and basic configuration freeradius

5.1、yum安装freeradius

yum -y install freeradius freeradius-utils freeradius-ldap

5.2、启动服务

systemctl start radiusd
systemctl enable radiusd

5.3、测试

5.3.1、修改用户管理配置文件,测试完成后注销

编辑/etc/raddb/users文件,取消测试用户相关信息的注释

sed -i '73,81s/^#//g' /etc/raddb/users
#################################################
steve   Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#################################################

5.3.2、使用调试方式启动freeradius

先关闭服务

systemctl stop radiusd

启动测试模式

radiusd -X

5.3.3、测试freeradius

新打开一个终端,使用root身份登录,执行测试命令

radtest steve testing localhost 0 testing123

Ps:radtest [账号] [密码] [认证位址] [NAS端口] [秘钥]
“testing123”是FreeRADIUS和NAS的共享密钥,client.conf中有定义
如果输出"Access-Accept packet" 表示成功了,"Access-Reject" 表示失败了。

Note:测试后/etc/raddb/users中的测试相关配置注释,然后启动systemctl start radiusd

六、Configure the connection between openldap and freeradius

6.1、修改/etc/raddb/mods-available/ldap文件

ldap {
server = '192.168.236.30'
port = 389
identity = 'cn=Manager,dc=alex,dc=localhost'
password = 111111
base_dn = 'dc=alex,dc=localhost'
sasl {
}
update {
control:Password-With-Header    += 'userPassword'
control:            += 'radiusControlAttribute'
request:            += 'radiusRequestAttribute'
reply:              += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr              = 'radiusClientIdentifier'
secret              = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}

6.2、修改/etc/raddb/sites-available/site_ldap文件

server site_ldap {
listen {
ipaddr = 0.0.0.0
port = 1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
post-auth {
Post-Auth-Type Reject {
}
}
}

6.3、建立软链接

ln -s /etc/raddb/sites-available/site_ldap  /etc/raddb/sites-enabled/
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/

6.4、重启并测试

systemctl restart radiusd

测试3.2.2中创建的ldap test用户连接

Refer:
https://www.cnblogs.com/xiaoshou/p/12337620.html LDAP部署
https://www.geek-share.com/detail/2757588311.html freeradius安装与LDAP的连接

内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: