One, pre-installer ldap
1.1、 lab environment
System: CentOS 7
Openldap:2.4.44
Freeradius:3.0.13
Ldapadmin:1.8.3(win64)
Phpldapadmin:1.2.3
1.2、 System Optimization
Turn off the firewall:
systemctl stop firewalld.service && systemctl disable firewalld.service
Close NetworkManager:
systemctl stop NetworkManager && systemctl disable NetworkManager
Close selinux:
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config
reboot
Two, Installer and basic configuration ldap
2.1、 yum install openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
2.2、 Start service
systemctl start slapd
systemctl enable slapd
2.3、 Create LDAP root password
LDAP administrator root password, generated by the slappasswd command, used throughout the installation process
[ root@ldap ~]# slappasswd
New password:
Re-enter new password:
{ SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi
2.4、 Configure LDAP service
2.4.1、 View initial configuration file
/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
CentOS 7 deploy OpenLDAP+FreeRadius
2.4.2、 Create a new profile
You can create the db.ldif configuration file in any directory. Here, create the configuration file in the /opt/alex/ directory
mkdir -pv /opt/alex
vim /opt/alex/db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=alex,dc=localhost
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=alex,dc=localhost
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi
Ps: The configuration file needs to modify the fields
olcSuffix: save domain information
olcRootDN: the unique identification name of the root, the root administrator manages under this node
olcRootPW: Administrator root password, fill in the root password generated in 2.3 here
2.4.3、 Use the ldapmodify command to validate the new db configuration
The ldapmodify command can directly modify the configuration file in the operating environment and does not require a restart to take effect. For details, please refer to the official ldapmodify documentation.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/db.ldif
After successful execution, three modified entries will be printed out, as shown below
CentOS 7 deploy OpenLDAP+FreeRadius
2.4.4、 Create a new monitor file
vim /opt/alex/monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager ,dc=alex,dc=localhost"
2.4.5、 Use the ldapmodify command to validate the new monitor configuration
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/monitor.ldif
CentOS 7 deploy OpenLDAP+FreeRadius
2.4.6、 Create ldap base library
What is created here is a basic library for saving data. After installing ldap, there will be an example configuration, we need to copy a configuration file and give it all permissions.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
2.4.7、 Increase the schemes in the database
Schemas are definition files of database tables, which are equivalent to table definitions in relational databases. Of course there is a slight difference. For details, please refer to the document description: https://ldap.com/understanding-ldap-schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
CentOS 7 deploy OpenLDAP+FreeRadius
2.4.8、 Create base.ldif, add the content under the management domain in the library
vim /opt/alex/base.ldif
dn: dc=alex,dc=localhost
dc: alex
objectClass: top
objectClass: domain
dn: cn=Manager ,dc=alex,dc=localhost
objectClass: organizationalRole
cn: Manager
description: LDAP Manager
dn: ou=People,dc=alex,dc=localhost
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=alex,dc=localhost
objectClass: organizationalUnit
ou: Group
2.4.9、 Add base configuration file
ldapadd -x -W -D "cn=Manager,dc=alex,dc=localhost" -f /opt/alex/base.ldif
Need to enter the password entered in 2.3
CentOS 7 deploy OpenLDAP+FreeRadius
2.4.10、 Test configuration verification
slaptest -u
Three, LDAP Admin
3.1、 Download the corresponding client version
Official website: http://www.ldapadmin.org/download/index.html
3.2、 use
3.2.1、 log in
CentOS 7 deploy OpenLDAP+FreeRadius
3.2.2、 Create user
CentOS 7 deploy OpenLDAP+FreeRadius
CentOS 7 deploy OpenLDAP+FreeRadius
3.2.3、 Set password for user
CentOS 7 deploy OpenLDAP+FreeRadius
CentOS 7 deploy OpenLDAP+FreeRadius
Four, phpldapadmin
4.1、 Install httpd
[ root@ldap ~]# yum install -y httpd
[ root@ldap ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_bak
[ root@ldap ~]# cp /etc/httpd/conf/httpd.conf{,.bak}
[ root@ldap ~]# vim /etc/httpd/conf/httpd.conf
95 Add a line under ServerName www.alex.cn
152 AllowOverride All
165 Line DirectoryIndex index.html index.php index.cgi
Finally join
ServerTokens Prod
KeepAlive On
[ root@ldap ~]# systemctl start httpd
[ root@ldap ~]# systemctl enable httpd.service
4.2、 Install php
4.2.1、 Configure Ali's epel source
wget -O /etc/yum.repos.d/epel7.repo https://mirrors.aliyun.com/repo/epel-7.repo
yum clean all&& yum makecache
4.2.2、 Install and configure phpldapadmin
yum install php php-mbstring php-pear -y
systemctl restart httpd
yum --enablerepo=epel -y install phpldapadmin
vim /etc/phpldapadmin/config.php
397 Uncomment line, comment line 398
CentOS 7 deploy OpenLDAP+FreeRadius
vim /etc/httpd/conf.d/phpldapadmin.conf
12 Add network segment information
CentOS 7 deploy OpenLDAP+FreeRadius
systemctl restart httpd
4.2.3、 Access interface
Browser access http://192.168.236.30/ldapadmin/ #Replace with the ip of the ldap machine
CentOS 7 deploy OpenLDAP+FreeRadius
CentOS 7 deploy OpenLDAP+FreeRadius
Ps: The login DN is the olcRootDN value in 2.4.2, and the password is the root password created in 2.3
CentOS 7 deploy OpenLDAP+FreeRadius
Five, Installer and basic configuration freeradius
5.1、 yum install freeradius
yum -y install freeradius freeradius-utils freeradius-ldap
5.2、 Start service
systemctl start radiusd
systemctl enable radiusd
5.3、 test
5.3.1、 Modify the user management configuration file and log out after the test is completed
Edit the /etc/raddb/users file and uncomment the relevant information of the test user
sed -i '73,81s/^#//g' /etc/raddb/users
steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address =172.16.3.33,
Framed-IP-Netmask =255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id ="std.ppp",
Framed-MTU =1500,
Framed-Compression = Van-Jacobsen-TCP-IP
5.3.2、 Use debug mode to start freeradius
Turn off the service first
systemctl stop radiusd
Start test mode
radiusd -X
5.3.3、 Test freeradius
Open a new terminal, log in as root, and execute test commands
radtest steve testing localhost 0 testing123
Ps: radtest [account] [password] [authentication address] [NAS port] [secret key]
"Testing123" is the shared key of FreeRADIUS and NAS, defined in client.conf
If the output "Access-Accept packet" means success, "Access-Reject" means failure.
Note: After the test, the test-related configuration comments in /etc/raddb/users, and then start systemctl start radiusd
Six, Configure the connection between openldap and freeradius
6.1、 Modify the /etc/raddb/mods-available/ldap file
ldap {
server ='192.168.236.30'
port =389
identity ='cn=Manager,dc=alex,dc=localhost'
password =111111
base_dn ='dc=alex,dc=localhost'
sasl {}
update {
control:Password-With-Header +='userPassword'
control:+='radiusControlAttribute'
request:+='radiusRequestAttribute'
reply:+='radiusReplyAttribute'}
user {
base_dn ="${..base_dn}"
filter ="(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {}}
group {
base_dn ="${..base_dn}"
filter ='(objectClass=posixGroup)'
membership_attribute ='memberOf'}
profile {}
client {
base_dn ="${..base_dn}"
filter ='(objectClass=radiusClient)'
template {}
attribute {
ipaddr ='radiusClientIdentifier'
secret ='radiusClientSecret'}}
accounting {
reference ="%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description :="Online at %S"}}
interim-update {
update {
description :="Last seen at %S"}}
stop {
update {
description :="Offline at %S"}}}}
post-auth {
update {
description :="Authenticated at %S"}}
options {
chase_referrals = yes
rebind = yes
res_timeout =10
srv_timelimit =3
net_timeout =1
idle =60
probes =3
interval =3
ldap_debug =0x0028}
tls {}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses =0
retry_delay =30
lifetime =0
idle_timeout =60}
}
6.2、 Modify the /etc/raddb/sites-available/site_ldap file
server site_ldap {
listen {
ipaddr =0.0.0.0
port =1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}}
authenticate {
Auth-Type ldap {
ldap
}}
post-auth {
Post-Auth-Type Reject {}}
}
6.3、 Establish soft link
ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
6.4、 Restart and test
systemctl restart radiusd
Test the connection of the ldap test user created in 3.2.2
CentOS 7 deploy OpenLDAP+FreeRadius
Refer:
https://www.cnblogs.com/xiaoshou/p/12337620.html LDAP deployment
https://blog.csdn.net/oLinBSoft/article/details/85775603 freeradius installation and LDAP connection
Recommended Posts