Tuesday, March 30, 2010

To implement FreeRADIUS for LDAPs

架設流程:
Step1 ~ Step4 參考上次推薦的文章就可以架設起來,然而要實現FreeRADIUS for LDAPs只需要執行Step5就可以完成了,事實上也只是改變幾個參數。
1. To establish LDAP Server
2. To establish FreeRADIUS
3. To configure FreeRADIUS for LDAP
4. To establish LDAPs (TLS)
5. To establish FreeRADIUS for LDAPs:
修改step3中的radiusd.conf,讓FreeRADIUS知道要用LDAPs做認證。
# vi /etc/radiusd.conf
........................
ldap {
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = yes
tls_cacertfile = /etc/openldap/cacerts/client.pem
#tls_cacertdir = /usr/local/etc/openldap/ssl/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"

........................
}
測試:
於Server端執行radiusd -X,並於Client端透過radtest做驗證,以下是Server端的log:
rad_recv: Access-Request packet from host x.x.x.x:32896, id=190, length=60
219 User-Name = "ldapuser"
220 User-Password = "123456"
221 NAS-IP-Address = 255.255.255.255
222 NAS-Port = 0
223 Processing the authorize section of radiusd.conf
224 modcall: entering group authorize for request 0
225 modcall[authorize]: module "preprocess" returns ok for request 0
226 modcall[authorize]: module "chap" returns noop for request 0
227 modcall[authorize]: module "mschap" returns noop for request 0
228 rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL
229 rlm_realm: No such realm "NULL"
230 modcall[authorize]: module "suffix" returns noop for request 0
231 rlm_eap: No EAP-Message, not doing EAP
232 modcall[authorize]: module "eap" returns noop for request 0
233 users: Matched entry DEFAULT at line 152
234 users: Matched entry DEFAULT at line 206
235 modcall[authorize]: module "files" returns ok for request 0
236 rlm_ldap: - authorize
237 rlm_ldap: performing user authorization for ldapuser
238 radius_xlat: '(uid=ldapuser)'
239 radius_xlat: 'dc=example,dc=com'
240 rlm_ldap: ldap_get_conn: Checking Id: 0
241 rlm_ldap: ldap_get_conn: Got Id: 0
242 rlm_ldap: attempting LDAP reconnection
243 rlm_ldap: (re)connect to x.x.x.x:389, authentication 0
244 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/client.pem
245 rlm_ldap: setting TLS Require Cert to demand
246 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to demand
247 rlm_ldap: starting TLS
248 rlm_ldap: bind as / to x.x.x.x:389
249 rlm_ldap: waiting for bind result ...
250 rlm_ldap: Bind was successful
251 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
252 rlm_ldap: Added password {crypt}$1$/vvYrM2W$omOGg5A7NQVDxGcTb6afR1 in check items
253 rlm_ldap: looking for check items in directory...
254 rlm_ldap: looking for reply items in directory...
255 rlm_ldap: user ldapuser authorized to use remote access
256 rlm_ldap: ldap_release_conn: Release Id: 0
257 modcall[authorize]: module "ldap" returns ok for request 0
258 modcall: leaving group authorize (returns ok) for request 0
259 rad_check_password: Found Auth-Type LDAP
260 auth: type "LDAP"
261 Processing the authenticate section of radiusd.conf
262 modcall: entering group LDAP for request 0
263 rlm_ldap: - authenticate
264 rlm_ldap: login attempt by "ldapuser" with password "123456"
265 rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
266 rlm_ldap: (re)connect to x.x.x.x:389, authentication 1
267 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/client.pem
268 rlm_ldap: setting TLS Require Cert to demand
269 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to demand
270 rlm_ldap: starting TLS
271 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/123456 to x.x.x.x:389
272 rlm_ldap: waiting for bind result ...
273 rlm_ldap: Bind was successful
274 rlm_ldap: user ldapuser authenticated succesfully
275 modcall[authenticate]: module "ldap" returns ok for request 0
276 modcall: leaving group LDAP (returns ok) for request 0
277 Sending Access-Accept of id 190 to x.x.x.x port 32896
Note: x.x.x.x 代表LDAP Server的FQDN或IP address。

1 comment:

瘋狂帽客 said...

在SUSE下啟動ldaps的方法是編輯/etc/sysconfig/openldap,並且修改OPENLDAP_START_LDAPS="yes",然後重新啟動ldap就可以了。

不過OpenSUSE 11.2上的FreeRADIUS是2.x版與CentOS 5.x上1.x版的設定檔差別上還挺大的。

支援LDAP認證 於1.x是編輯/etc/radius/radiusd.conf,2.x則是編輯/etc/raddb/sites-available/default。

而LDAP認證的方法於1.x是編輯/etc/radius/radiusd.conf,2.x是編輯/etc/raddb/modules/ldap