1.yum 安装freeradius
yum -y install freeradius freeradius-utils freeradius-ldap vim
2.编辑 vim /etc/raddb/mods-available/ldap 根据实际情况修改dc的值
[root@localhost ~]# cat /etc/raddb/mods-available/ldap | grep -v "#"|grep -v "^$" ldap { server = 'x.x.x.x' #ldap server ip port = 389 #ldap server port identity = 'cn=admin,dc=openldap,dc=cn' #ldap admin dn password = 123456 #ldap admin passwd base_dn = 'dc=openldap,dc=cn' #ldap dn sasl { } update { control:Password-With-Header += 'userPassword' #radius去ldap继承用户信息里的属性 control:NT-Password := 'ntPassword' reply:Reply-Message := 'radiusReplyMessage' reply:Tunnel-Type := 'radiusTunnelType' #这个是隧道类型 VLAN reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' #这个是协议类型 IEEE-802 reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' #这个是 vlan id } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
3.vim /etc/raddb/sites-available/site-ldap
vim /etc/raddb/sites-available/site-ldap server site_ldap { listen { ipaddr = 0.0.0.0 port = 1833 type = auth } authorize { update { control:Auth-Type := ldap } } authenticate { Auth-Type ldap { ldap } } post-auth { Post-Auth-Type Reject { } } }
取消这两个文件里面关于ldap的注释
vim /etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/inner-tunnel
750 ldap ... 526 Auth-Type LDAP { 527 ldap 528 }
将刚才编辑的ldap和site_ldap模块开启
ln -s /etc/raddb/sites-available/site-ldap /etc/raddb/sites-enabled/ ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
vim /etc/raddb/clients.conf
client all {
ipaddr = 0.0.0.0/0
secret = 123456 #radius的密码要和交换机设置的一样
#require_message_authenticator = no
}
使用radiusd -X测试没问题就可以使用了
systemctl restart radiusd
systemctl status radiusd
systemctl enable radiusd
- freeradius openldap centos7 centos yumfreeradius openldap centos7 centos freeradius centos7 centos openldap centos7环境centos centos7yum centos7 centos yum centos7 centos docker yum centos7yum yum centos7办法 centos7yum centos7 centos docker yum redhat7 centos7 redhat centos7yum syslog-ng centos7 centos