Radius+OpenLdap+USG防火墙认证
1.1、安装OpenLdap
# 在数据目录创建ldap文件存放ldap的配置文件
mkdir -p /data/ldap/{data,conf}
docker run -p 389:389 -p 636:636 \
--name ldap \
--env LDAP_TLS_VERIFY_CLIENT="never" \
--env LDAP_ORGANISATTON="xxxx" \
--env LDAP_DOMAIN="xxxx.com" \
--env LDAP_ADMIN_PASSWORD="xxxx" \
-v /data/ldap/data:/var/lib/ldap \
-v /data/ldap/conf:/etc/ldap/slapd.d \
--detach docker.e6gpshk.com:8443/yunwei/e6yun-openldap:v1.2.5
参数说明
- LDAP_TLS_VERIFY_CLIENT:是否需要TLS认证
- LDAP_ORGANISATTON:配置LDAP组织者
- LDAP_DOMAIN:配置LDAP域
- LDAP_ADMIN_PASSWORD:配置LDAP密码
- 默认登录用户名:admin
1.2、安装可视化操作界面
docker run \
-d --privileged \
-p 18004:80 \
--name phpldapadmin \
--env PHPLDAPADMIN_HTTPS=false \
--env PHPLDAPADMIN_LDAP_HOSTS=10.30.1.4 \
--detach docker.e6gpshk.com:8443/yunwei/e6yun-openldap-web:v1.2.5
参数说明
- PHPLDAPADMIN_HTTPS:是否使用https
- PHPLDAPADMIN_LDAP_HOSTS:填写主机地址
2.1、安装radius
将下面yml保存至radius.yml文件
version: "3"
services:
radius:
image: freeradius/freeradius-server:3.2.0-alpine
container_name: radius
restart: always
ports:
- '1812:1812/udp'
- '1813:1813/udp'
- '1833:1833/udp'
docker-compose -f ./radius.yml up -d
2.2、配置ldap
# 将容器中的ldap配置文件复制出来
docker cp radius:/etc/raddb/mods-available/ldap ./
将配置修改为如下配置
ldap {
server = 'ldap.e6gpshk.com'
port = 389
identity = 'cn=admin,dc=xxxx,dc=com'
password = xxxx
base_dn = 'ou=People,dc=xxxx,dc=com'
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user_dn = "LDAP-UserDn"
user {
base_dn = "${..base_dn}"
filter = "(&(objectClass=inetOrgPerson)(memberOf=cn=wifi,ou=Group,dc=e6yun,dc=com)(!(gidNumber=503))(cn=%{%{Stripped-User-Name}:-%{User-Name}}))"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
# 将修改好的复制回容器
docker cp ./ldap radius:/etc/raddb/mods-available/ldap
# 创建 site_ldap文件
vim site_ldap
server site_ldap {
listen {
ipaddr = 0.0.0.0
port = 1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
post-auth {
Post-Auth-Type Reject {
}
}
}
# 将文件复制到容器/etc/raddb/sites-available/ldap
docker cp ./site-ldap radius:/etc/raddb/sites-available/ldap
# 复制/etc/raddb/clients.conf 文件到本地进行修改
docker cp radius:/etc/raddb/clients.conf ./clients.conf
client localhost {
ipaddr = 0.0.0.0/0 # 主要是修改这里
proto = *
secret = qqqqqqqq
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
# 将修改好的文件复制回容器
docker cp ./clients.conf radius:/etc/raddb/clients.conf
# 创建软连接启用ldap插件
ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
ln -s /etc/raddb/sites-available/ldap /etc/raddb/sites-enabled/
# 重启容器
docker restart radius
# 到这里已经配置好了
接下来配置防火墙radius服务器,使用openldap导入用户
