CentOS 7 部署OpenLDAP+FreeRadius
一、pre-installer ldap
1.1、实验环境
系统:CentOS 7 Openldap:2.4.44 Freeradius:3.0.13 Ldapadmin:1.8.3(win64) Phpldapadmin:1.2.3
1.2、系统优化
关闭防火墙:
systemctl stop firewalld.service && systemctl disable firewalld.service
关闭NetworkManager:
systemctl stop NetworkManager && systemctl disable NetworkManager
关闭selinux:
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config reboot
二、Installer and basic configuration ldap
2.1、yum安装openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
2.2、启动服务
systemctl start slapd systemctl enable slapd
2.3、创建LDAP根密码
LDAP的管理员根密码,使用slappasswd命令生成,用于整个安装过程
[root@ldap ~]# slappasswd New password: Re-enter new password: {SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi
2.4、配置LDAP服务
2.4.1、查看初始配置文件
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
2.4.2、创建新配置文件
可以在任意目录下创建db.ldif配置文件,此处在/opt/alex/目录下创建此配置文件
mkdir -pv /opt/alex vim /opt/alex/db.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=alex,dc=localhost dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=alex,dc=localhost dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi
Ps:配置文件需修改字段
olcSuffix:保存域信息
olcRootDN:根的唯一标识名,根管理员在此节点下管理
olcRootPW:管理员根密码,填写2.3生成的根密码在此处
2.4.3、使用ldapmodify命令生效新db配置
ldapmodify命令可在运行环境中直接修改配置文件并且不需要重启就生效的命令,具体请看ldapmodify官方使用文档。
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/db.ldif
执行成功后会打印出三次修改的条目,如下图
2.4.4、创建新的monitor文件
vim /opt/alex/monitor.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager ,dc=alex,dc=localhost"
2.4.5、使用ldapmodify命令生效新monitor配置
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/monitor.ldif
2.4.6、创建ldap基础库
这里创建的是一个基础库,用于保存数据。安装ldap后会有一个example配置,需要我们复制一份配置文件并赋予它所有权限。
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/*
2.4.7、增加数据库中的schemas
schemas就是数据库表的定义文件,相当于关系数据库中的表定义。当然稍有区别。具体可以参考文档说明:https://ldap.com/understanding-ldap-schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
2.4.8、创建base.ldif,在库中增加管理域下的内容
vim /opt/alex/base.ldif dn: dc=alex,dc=localhost dc: alex objectClass: top objectClass: domain dn: cn=Manager ,dc=alex,dc=localhost objectClass: organizationalRole cn: Manager description: LDAP Manager dn: ou=People,dc=alex,dc=localhost objectClass: organizationalUnit ou: People dn: ou=Group,dc=alex,dc=localhost objectClass: organizationalUnit ou: Group
2.4.9、添加base配置文件
ldapadd -x -W -D "cn=Manager,dc=alex,dc=localhost" -f /opt/alex/base.ldif
需输入2.3输入的密码
2.4.10、测试配置验证
slaptest -u
三、LDAP Admin
3.1、下载对应客户端版本
官网:http://www.ldapadmin.org/download/index.html
3.2、使用
3.2.1、登录
3.2.2、创建用户
3.2.3、为用户设置密码
四、phpldapadmin
4.1、安装httpd
[root@ldap ~]# yum install -y httpd [root@ldap ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_bak [root@ldap ~]# cp /etc/httpd/conf/httpd.conf{,.bak} [root@ldap ~]# vim /etc/httpd/conf/httpd.conf 95行下面加一行 ServerName www.alex.cn 152行 AllowOverride All 165行 DirectoryIndex index.html index.php index.cgi 最后加入 ServerTokens Prod KeepAlive On [root@ldap ~]# systemctl start httpd [root@ldap ~]# systemctl enable httpd.service
4.2、安装php
4.2.1、配置阿里的epel源
wget -O /etc/yum.repos.d/epel7.repo https://mirrors.aliyun.com/repo/epel-7.repo yum clean all&& yum makecache
4.2.2、安装并配置phpldapadmin
yum install php php-mbstring php-pear -y systemctl restart httpd yum --enablerepo=epel -y install phpldapadmin
vim /etc/phpldapadmin/config.php
397行取消注释,398行注释
vim /etc/httpd/conf.d/phpldapadmin.conf
12行添加网段信息
systemctl restart httpd
4.2.3、访问界面
浏览器访问http://192.168.236.30/ldapadmin/ #替换为ldap机器的ip
Ps:登录DN为2.4.2中的olcRootDN值,密码为2.3中创建的根密码
五、Installer and basic configuration freeradius
5.1、yum安装freeradius
yum -y install freeradius freeradius-utils freeradius-ldap
5.2、启动服务
systemctl start radiusd systemctl enable radiusd
5.3、测试
5.3.1、修改用户管理配置文件,测试完成后注销
编辑/etc/raddb/users文件,取消测试用户相关信息的注释
sed -i '73,81s/^#//g' /etc/raddb/users ################################################# steve Cleartext-Password := "testing" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 172.16.3.33, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP #################################################
5.3.2、使用调试方式启动freeradius
先关闭服务
systemctl stop radiusd
启动测试模式
radiusd -X
5.3.3、测试freeradius
新打开一个终端,使用root身份登录,执行测试命令
radtest steve testing localhost 0 testing123
Ps:radtest [账号] [密码] [认证位址] [NAS端口] [秘钥]
“testing123”是FreeRADIUS和NAS的共享密钥,client.conf中有定义
如果输出"Access-Accept packet" 表示成功了,"Access-Reject" 表示失败了。
Note:测试后/etc/raddb/users中的测试相关配置注释,然后启动systemctl start radiusd
六、Configure the connection between openldap and freeradius
6.1、修改/etc/raddb/mods-available/ldap文件
ldap { server = '192.168.236.30' port = 389 identity = 'cn=Manager,dc=alex,dc=localhost' password = 111111 base_dn = 'dc=alex,dc=localhost' sasl { } update { control:Password-With-Header += 'userPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
6.2、修改/etc/raddb/sites-available/site_ldap文件
server site_ldap { listen { ipaddr = 0.0.0.0 port = 1833 type = auth } authorize { update { control:Auth-Type := ldap } } authenticate { Auth-Type ldap { ldap } } post-auth { Post-Auth-Type Reject { } } }
6.3、建立软链接
ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/ ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
6.4、重启并测试
systemctl restart radiusd
测试3.2.2中创建的ldap test用户连接
Refer:
https://www.cnblogs.com/xiaoshou/p/12337620.html LDAP部署
https://www.geek-share.com/detail/2757588311.html freeradius安装与LDAP的连接
- CentOS7.4+FreeRadius+ldap(Windows AD)认证 搭建radius服务
- freeRADIUS + openLDAP 安装和配置
- OpenLDAP+FreeRADIUS+MySQL+RP-PPPOE 构建PPPOE服务器
- CentOS 7下安装部署OpenLDAP+phpLDAPadmin
- centos7 部署 open-falcon 0.2.0
- centos6.5环境下Zookeeper-3.4.6集群环境部署 【系统】Centos 6.5 集群部署 【软件】准备好jdk环境,此次我们的环境是open_jdk1.8.0_101
- CentOS 7 安装LAMP+FreeRadius+Daloradius Web管理
- CentOS6.8下使用rsyslog+loganalyzer+ldap部署日志服务器来实现日志收集
- CentOS 6.5下Open-Falcon监控系统的部署
- Authenticate SSH user with FreeRadius Server (CentOS 6)
- centos 7 部署 open-falcon 0.2.0[原文复制版]
- centos6.5下搭建LAMP+FreeRadius+Daloradius Web管理和路由器、交换机连接,实现,上网认证和记账功能
- Centos7.5部署最新稳定版jenkins并配置ldap认证攻略
- OpenLDAP Master/Slave部署
- centos 7 部署 open-falcon 0.2.0
- Ubuntu下一个openldapserver部署步骤
- CentOS7 部署LDAP服务器