一、pre-installer ldap
1.1、实验环境
系统:CentOS 7
Openldap:2.4.44
Freeradius:3.0.13
Ldapadmin:1.8.3(win64)
Phpldapadmin:1.2.3
1.2、系统优化
关闭防火墙:
systemctl stop firewalld.service && systemctl disable firewalld.service
关闭NetworkManager:
systemctl stop NetworkManager && systemctl disable NetworkManager
关闭selinux:
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config
reboot
二、Installer and basic configuration ldap
2.1、yum安装openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
2.2、启动服务
systemctl start slapd
systemctl enable slapd
2.3、创建LDAP根密码
LDAP的管理员根密码,使用slappasswd命令生成,用于整个安装过程
[root@ldap ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi
2.4、配置LDAP服务
2.4.1、查看初始配置文件
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
2.4.2、创建新配置文件
可以在任意目录下创建db.ldif配置文件,此处在/opt/alex/目录下创建此配置文件
mkdir -pv /opt/alex
vim /opt/alex/db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=alex,dc=localhost
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=alex,dc=localhost
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xAKjntY/5z3bK+ad3gZpxNHjPpR9uPzi
Ps:配置文件需修改字段
olcSuffix:保存域信息
olcRootDN:根的唯一标识名,根管理员在此节点下管理
olcRootPW:管理员根密码,填写2.3生成的根密码在此处
2.4.3、使用ldapmodify命令生效新db配置
ldapmodify命令可在运行环境中直接修改配置文件并且不需要重启就生效的命令,具体请看ldapmodify官方使用文档。
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/db.ldif
执行成功后会打印出三次修改的条目,如下图
2.4.4、创建新的monitor文件
vim /opt/alex/monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager ,dc=alex,dc=localhost"
2.4.5、使用ldapmodify命令生效新monitor配置
ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/alex/monitor.ldif
2.4.6、创建ldap基础库
这里创建的是一个基础库,用于保存数据。安装ldap后会有一个example配置,需要我们复制一份配置文件并赋予它所有权限。
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
2.4.7、增加数据库中的schemas
schemas就是数据库表的定义文件,相当于关系数据库中的表定义。当然稍有区别。具体可以参考文档说明:https://ldap.com/understanding-ldap-schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
2.4.8、创建base.ldif,在库中增加管理域下的内容
vim /opt/alex/base.ldif
dn: dc=alex,dc=localhost
dc: alex
objectClass: top
objectClass: domain
dn: cn=Manager ,dc=alex,dc=localhost
objectClass: organizationalRole
cn: Manager
description: LDAP Manager
dn: ou=People,dc=alex,dc=localhost
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=alex,dc=localhost
objectClass: organizationalUnit
ou: Group
2.4.9、添加base配置文件
ldapadd -x -W -D "cn=Manager,dc=alex,dc=localhost" -f /opt/alex/base.ldif
需输入2.3输入的密码
2.4.10、测试配置验证
slaptest -u
三、LDAP Admin
3.1、下载对应客户端版本
官网:http://www.ldapadmin.org/download/index.html
3.2、使用
3.2.1、登录
3.2.2、创建用户
3.2.3、为用户设置密码
四、phpldapadmin
4.1、安装httpd
[root@ldap ~]# yum install -y httpd
[root@ldap ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_bak
[root@ldap ~]# cp /etc/httpd/conf/httpd.conf{,.bak}
[root@ldap ~]# vim /etc/httpd/conf/httpd.conf
95行下面加一行 ServerName www.alex.cn
152行 AllowOverride All
165行 DirectoryIndex index.html index.php index.cgi
最后加入
ServerTokens Prod
KeepAlive On
[root@ldap ~]# systemctl start httpd
[root@ldap ~]# systemctl enable httpd.service
4.2、安装php
4.2.1、配置阿里的epel源
wget -O /etc/yum.repos.d/epel7.repo https://mirrors.aliyun.com/repo/epel-7.repo
yum clean all&& yum makecache
4.2.2、安装并配置phpldapadmin
yum install php php-mbstring php-pear -y
systemctl restart httpd
yum --enablerepo=epel -y install phpldapadmin
vim /etc/phpldapadmin/config.php
397行取消注释,398行注释
vim /etc/httpd/conf.d/phpldapadmin.conf
12行添加网段信息
systemctl restart httpd
4.2.3、访问界面
浏览器访问http://192.168.236.30/ldapadmin/ #替换为ldap机器的ip
Ps:登录DN为2.4.2中的olcRootDN值,密码为2.3中创建的根密码
五、Installer and basic configuration freeradius
5.1、yum安装freeradius
yum -y install freeradius freeradius-utils freeradius-ldap
5.2、启动服务
systemctl start radiusd
systemctl enable radiusd
5.3、测试
5.3.1、修改用户管理配置文件,测试完成后注销
编辑/etc/raddb/users文件,取消测试用户相关信息的注释
sed -i '73,81s/^#//g' /etc/raddb/users
#################################################
steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
#################################################
5.3.2、使用调试方式启动freeradius
先关闭服务
systemctl stop radiusd
启动测试模式
radiusd -X
5.3.3、测试freeradius
新打开一个终端,使用root身份登录,执行测试命令
radtest steve testing localhost 0 testing123
Ps:radtest [账号] [密码] [认证位址] [NAS端口] [秘钥]
“testing123”是FreeRADIUS和NAS的共享密钥,client.conf中有定义
如果输出"Access-Accept packet" 表示成功了,"Access-Reject" 表示失败了。
Note:测试后/etc/raddb/users中的测试相关配置注释,然后启动systemctl start radiusd
六、Configure the connection between openldap and freeradius
6.1、修改/etc/raddb/mods-available/ldap文件
ldap {
server = '192.168.236.30'
port = 389
identity = 'cn=Manager,dc=alex,dc=localhost'
password = 111111
base_dn = 'dc=alex,dc=localhost'
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
6.2、修改/etc/raddb/sites-available/site_ldap文件
server site_ldap {
listen {
ipaddr = 0.0.0.0
port = 1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
post-auth {
Post-Auth-Type Reject {
}
}
}
6.3、建立软链接
ln -s /etc/raddb/sites-available/site_ldap /etc/raddb/sites-enabled/
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
6.4、重启并测试
systemctl restart radiusd
测试3.2.2中创建的ldap test用户连接
Refer:
https://www.cnblogs.com/xiaoshou/p/12337620.html LDAP部署
https://blog.csdn.net/oLinBSoft/article/details/85775603 freeradius安装与LDAP的连接