526互联

centos7 yum安装freeradius并配置到openldap进行简单认证

发布时间 2023-09-21 18:50:29作者: 非专业编程

1.yum 安装freeradius

yum -y install freeradius freeradius-utils freeradius-ldap vim

2.编辑 vim /etc/raddb/mods-available/ldap 根据实际情况修改dc的值

[root@localhost ~]# cat /etc/raddb/mods-available/ldap | grep -v "#"|grep -v "^$"
ldap {
    server = 'x.x.x.x'        #ldap server ip
    port = 389                  #ldap server port
    identity = 'cn=admin,dc=openldap,dc=cn'         #ldap admin dn
    password = 123456                                       #ldap admin passwd
    base_dn = 'dc=openldap,dc=cn'                     #ldap dn
    sasl {
    }
    update {
        control:Password-With-Header    += 'userPassword'           #radius去ldap继承用户信息里的属性
        control:NT-Password        := 'ntPassword'                
        reply:Reply-Message        := 'radiusReplyMessage'
        reply:Tunnel-Type        := 'radiusTunnelType'                   #这个是隧道类型 VLAN
        reply:Tunnel-Medium-Type    := 'radiusTunnelMediumType'         #这个是协议类型 IEEE-802
        reply:Tunnel-Private-Group-ID    := 'radiusTunnelPrivategroupId' #这个是 vlan id
    }
    user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        sasl {
        }
    }
    group {
        base_dn = "${..base_dn}"
        filter = '(objectClass=posixGroup)'
        membership_attribute = 'memberOf'
    }
    profile {
    }
    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=radiusClient)'
        template {
        }
        attribute {
            ipaddr                = 'radiusClientIdentifier'
            secret                = 'radiusClientSecret'
        }
    }
    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
        type {
            start {
                update {
                    description := "Online at %S"
                }
            }
            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }
            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }
    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }
    options {
        chase_referrals = yes
        rebind = yes
        res_timeout = 10
        srv_timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }
    tls {
    }
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}

3.vim /etc/raddb/sites-available/site-ldap

vim /etc/raddb/sites-available/site-ldap

server site_ldap {
    listen {
         ipaddr = 0.0.0.0
         port = 1833
         type = auth
    }
    authorize {
         update {
             control:Auth-Type := ldap
         }
    }
    authenticate {
        Auth-Type ldap {
            ldap
        }
    }

    post-auth {
        Post-Auth-Type Reject {
        }
    }
}
取消这两个文件里面关于ldap的注释
vim /etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/inner-tunnel
750         ldap
...
526         Auth-Type LDAP {
527                 ldap
528         }
将刚才编辑的ldap和site_ldap模块开启
ln -s /etc/raddb/sites-available/site-ldap /etc/raddb/sites-enabled/
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
vim /etc/raddb/clients.conf

client all {
ipaddr = 0.0.0.0/0
secret = 123456 #radius的密码要和交换机设置的一样
#require_message_authenticator = no
}

使用radiusd -X测试没问题就可以使用了
systemctl restart radiusd
systemctl status radiusd
systemctl enable radiusd