Radius+OpenLdap+USG防火墙认证

1.1、安装OpenLdap

# 在数据目录创建ldap文件存放ldap的配置文件
mkdir -p /data/ldap/{data,conf}

docker run -p 389:389 -p 636:636 \
--name ldap \
--env LDAP_TLS_VERIFY_CLIENT="never" \
--env LDAP_ORGANISATTON="xxxx" \
--env LDAP_DOMAIN="xxxx.com" \
--env LDAP_ADMIN_PASSWORD="xxxx" \
-v /data/ldap/data:/var/lib/ldap \
-v /data/ldap/conf:/etc/ldap/slapd.d \
--detach docker.e6gpshk.com:8443/yunwei/e6yun-openldap:v1.2.5

参数说明

  • LDAP_TLS_VERIFY_CLIENT:是否需要TLS认证
  • LDAP_ORGANISATTON:配置LDAP组织者
  • LDAP_DOMAIN:配置LDAP域
  • LDAP_ADMIN_PASSWORD:配置LDAP密码
  • 默认登录用户名:admin

1.2、安装可视化操作界面

docker run \
-d --privileged \
-p 18004:80 \
--name phpldapadmin \
--env PHPLDAPADMIN_HTTPS=false \
--env PHPLDAPADMIN_LDAP_HOSTS=10.30.1.4 \
--detach docker.e6gpshk.com:8443/yunwei/e6yun-openldap-web:v1.2.5

参数说明

  • PHPLDAPADMIN_HTTPS:是否使用https
  • PHPLDAPADMIN_LDAP_HOSTS:填写主机地址

2.1、安装radius

将下面yml保存至radius.yml文件

version: "3"
services:
  radius:
    image: freeradius/freeradius-server:3.2.0-alpine
    container_name: radius
    restart: always
    ports:
      - '1812:1812/udp'
      - '1813:1813/udp'
      - '1833:1833/udp'
docker-compose -f ./radius.yml up -d

2.2、配置ldap

# 将容器中的ldap配置文件复制出来
docker cp radius:/etc/raddb/mods-available/ldap ./

将配置修改为如下配置

ldap {

	server = 'ldap.e6gpshk.com'
	port = 389
	identity = 'cn=admin,dc=xxxx,dc=com'
	password = xxxx
	base_dn = 'ou=People,dc=xxxx,dc=com'
	sasl {
	}
	update {
		control:Password-With-Header	+= 'userPassword'
		control:			+= 'radiusControlAttribute'
		request:			+= 'radiusRequestAttribute'
		reply:				+= 'radiusReplyAttribute'
	}
	user_dn = "LDAP-UserDn"
	user {
		base_dn = "${..base_dn}"
		filter = "(&(objectClass=inetOrgPerson)(memberOf=cn=wifi,ou=Group,dc=e6yun,dc=com)(!(gidNumber=503))(cn=%{%{Stripped-User-Name}:-%{User-Name}}))"
		sasl {
		}
	}
	group {
		base_dn = "${..base_dn}"
		filter = '(objectClass=posixGroup)'
		membership_attribute = 'memberOf'
	}
	profile {
	}
	client {
		base_dn = "${..base_dn}"
		filter = '(objectClass=radiusClient)'
		template {
		}
		attribute {
			ipaddr				= 'radiusClientIdentifier'
			secret				= 'radiusClientSecret'
		}
	}
	accounting {
		reference = "%{tolower:type.%{Acct-Status-Type}}"
		type {
			start {
				update {
					description := "Online at %S"
				}
			}
			interim-update {
				update {
					description := "Last seen at %S"
				}
			}
			stop {
				update {
					description := "Offline at %S"
				}
			}
		}
	}
	post-auth {
		update {
			description := "Authenticated at %S"
		}
	}

# 将修改好的复制回容器
docker cp ./ldap  radius:/etc/raddb/mods-available/ldap
# 创建 site_ldap文件
vim site_ldap
server site_ldap { 
    listen { 
         ipaddr = 0.0.0.0
         port = 1833
         type = auth
    } 
    authorize {
         update {
             control:Auth-Type := ldap
         }
    }
    authenticate {
        Auth-Type ldap {
            ldap
        }
    }
   
    post-auth {
        Post-Auth-Type Reject {
        }
    }
}
# 将文件复制到容器/etc/raddb/sites-available/ldap
docker cp ./site-ldap radius:/etc/raddb/sites-available/ldap
# 复制/etc/raddb/clients.conf 文件到本地进行修改
docker cp radius:/etc/raddb/clients.conf ./clients.conf
client localhost {
        ipaddr = 0.0.0.0/0  # 主要是修改这里
        proto = *

        secret = qqqqqqqq

        require_message_authenticator = no

        limit {
                max_connections = 16


                lifetime = 0

                idle_timeout = 30
        }
}

client localhost_ipv6 {
        ipv6addr        = ::1
        secret          = testing123
}
# 将修改好的文件复制回容器
docker cp ./clients.conf radius:/etc/raddb/clients.conf
# 创建软连接启用ldap插件
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
ln -s /etc/raddb/sites-available/ldap /etc/raddb/sites-enabled/
# 重启容器
docker restart radius

# 到这里已经配置好了

接下来配置防火墙radius服务器,使用openldap导入用户

posted @ 2022-05-24 08:57  兰嘉轩  阅读(704)  评论(0编辑  收藏  举报