freeRADIUS + openLDAP 安装和配置
说明:这篇文章只是记录小弟我在学习freeRADIUS的过程,由于我是刚刚学习到这方面的知识,大部分都是在网上网友的博客日志中找到的,看得实在太多了,我实在是不知道到底是从谁的博客中学习来的,所以,引用也不知道从哪位大哥记起,干脆就不写了,还望海涵。
################## INSTALL openLDAP#########################
对于下面的参数 我都简写了,<openssl>代表相应版本的全称
1. install openssl
#tar xzvf <openssl.tar>
#cd <openssl>
#./config shared zlib
#make
#make test
#make install
首先将原来的openssl失效
#mv /usr/bin/openssl /usr/bin/openssl.OFF
#mv /usr/include/openssl /usr/include/openssl.OFF
使新安装的openssl生效
#ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
#ln -s /usr/local/ssl/include/openssl /usr/include/openssl
setup path for searching
# echo "/usr/local/ssl/lib" >> /esc/ld.so.conf
#ldconfig -v
2 install SASL
#tar xzvf <>
#cd <>
#./configure --prefix=/usr/local/sasl2 --enable-login --with-openssl=/usr/local/ssl
#make ; make install
#echo "/usr/local/sasl2/lib" >> /etc/ld.so.conf
#echo "/usr/local/sasl2/lib/sasl2" >> /etc/ld.so.conf
#ldconfig -v
#rm -rf /usr/lib/libsasl*
#ln -s /usr/local/sasl2/lib/* /usr/lib
一定要新建目录这是sasl运行中需要的设置
#mkdir -pv /var/state/saslauthd
#saslauthd -a shadow
#testsaslauthd -u root -p rootPWD
验证你的本地帐户
<should see OK SUCCESS>
3. install BerkeleyDB <4.6>
#tar <>
#cd db<>/build_unix
#..dist/configure --prefix=/usr/local/BerkeleyDB
#make&&make install
在安装openLDAP模块化的功能时需要这个东西libtool
* install libtool
first install the *.rpm from CD;
#cd /usr/share/libtool/libltdl
#./configure
#make && make install
4.install openLDAP
#tar <>
#cd <>
# env CPPFLAGS="-I/usr/local/BerkeleyDB/include -I/usr/local/sasl2/include" LDFLAGS="-L/usr/local/BerkeleyDB/lib -L/usrllocal/sasl2/lib -L/usr/local/sasl2/lib/sasl2" ./configure --
prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes --enable-ldap=mod --
enable-meta=mod --enable-rewrite=yes --with-proxycache=yes --enable-rwm=yes --enable-dynamic
#make depend
#make
#make test
#make install
说明:小弟在test的过程中一直发现有一个问题:second site1 not backend to the central master 什么的,但是也不影响后面的使用,也可能是我现在还没有使用到这个
功能。如有人知道一定告诉小弟。
######################################install freeRADIUS#############################
这个安装比较简单,就不说了。
################## configure for openLDAP + freeRADIUS #################
# cp /usr/local/share/doc/freeradius/examples/openldap.schema /etc/openldap/openldap/schema/radius.schema
#gedit /etc/openldap/openldap/slapd.conf
一下是包含一定的schema文件,我的理解是:包含一定的定义结构体的文件。
include /etc/openldap/openldap/schema/core.schema
include /etc/openldap/openldap/schema/cosine.schema
include /etc/openldap/openldap/schema/ppolicy.schema
include /etc/openldap/openldap/schema/misc.schema
include /etc/openldap/openldap/schema/corba.schema
include /etc/openldap/openldap/schema/collective.schema
include /etc/openldap/openldap/schema/radius.schema
定义数据库
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
# Indices to maintain
index objectClass eq
index uid eq
2. add entry
start slapd
#/usr/local/openldap/libexec/slapd
addentry.ldif
-------------------------------------
dn:dc=example,dc=com
objectclass:dcObject
objectclass:organization
o: example_O
dc:example
dn:cn=Manager,dc=example,dc=com
objectclass:organizationalRole
cn:Manager
--------------------------------------
#ldapadd -x -D "cn=Manager,dc=intel,dc=com" -W -f addentry.ldif
users
adduser.ldif
-------------------------------------
dn:uid=test,dc=example,dc=com
objectclass:account
objectclass:simpleSecurityObject
objectclass:radiusprofile
uid:test
userPassword:test
cn:test
dn:uid=hello,dc=example,dc=com
objectclass:account
objectclass:simpleSecurityObject
objectclass:radiusprofile
uid:hello
userPassword:hello
cn:hello
-------------------------------------
#ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f adduser.ldif
#ldapsearch -x -b "dc=example,dc=com" '(objectclass=*)'
#################################configure freeRadius ###########################
#gedit /usr/local/etc/raddb/modules/ldap
ldap{
server = "127.0.0.1"
identity = "cn=Manager,dc=example,dc=com"
password = secret
basedn = "dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
password_attribute = userPassword
}
# gedit /usr/local/etc/raddb/sites-enabled/default
authorize{
#insert the item
ldap
}
authenticate{
#insert this item
Auth-Type LDAP {
ldap
}
}
#gedit /usr/local/etc/raddb/clients.conf
#insert the item
client 192.168.0.0/24 {
secret = testing123-1
shortname = private-network-1
}
#gedit /usr/local/etc/raddb/proxy.conf
insert the following
realm NULL{
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm example.com{
type = radius
authhost = LOCAL
accthost = LOCAL
}
#radiusd -X
#radtest hello hello localhost 0 testing123