2010年12月6日月曜日
FreeRADIUS with LDAP
I installed FreeRADIUS with LDAP. I’ve written the installation document below. Please give me advice/suggestions on it. I would appreciate any kind of advice/suggestion!
== FreeRadius + LDAP
apt-get install freeradius freeradius-ldap
vim /etc/freeradius/radiusd.conf
modules{
ldap {
server = "ldap1.com"
basedn = "dc=ldap1,dc=com"
basedn = "ou=People,dc=ldap1,dc=com"
filter ="(&(objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
#access_attr = "dialupAccess"
}
authorize {
ldap #coment out
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
以下書き換える。
vim /etc/freeradius/users
DEFAULT Auth-Type = LDAP
Fall-Through = 1
view /etc/freeradius/clients.conf
client 127.0.0.1/24 {
secret = testing123
shortname = localhost
}
/etc/init.d/freeradius restart
radtest sakai PASSWORD localhost 0 testing123
== TLS
TLSやTTLSの場合は、debianのapt-getではモジュールが入らないので、ソースからいれる。
apt-get install build-essential
apt-get install apt-src
apt-src update
mkdir ~/build_freeradius
cd ~/build_freeradius
apt-src install freeradius
vim ~/build_freeradius/freeradius-1.1.3/debian/rules
#buildssl=--without-rlm_eap_peap --without-rlm_eap_tls --without-rlm_eap_ttls --without-rlm_otp
--without-rlm_sql_postgresql --without-snmp
#modulelist=krb5 ldap sql_mysql sql_iodbc
buildssl=--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir`
modulelist=krb5 ldap sql_mysql sql_iodbc sql_postgresql
vim ~/build_freeradius/freeradius-1.1.3/debian/control
Source: freeradius
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev,
libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2),
libperl-dev, libtool, dpkg-dev (>= 1.13.19), libssl-dev, libpq-dev
Build-Conflicts:
cd ~/build_freeradius/freeradius-1.1.3/debian
cat control.postgresql >> control
以下加える
vim ~/build_freeradius/freeradius-1.1.3/debian/changelog
freeradius (1.1.3-3tls) unstable; urgency=low
* Add TLS. Closes: #403389.
-- Jun Sakai Sat, 16 Dec 2006 20:45:11 +0000
# cd ~/build_freeradius
# apt-src build freeradius
dpkg -i freeradius_1.1.3-3tls_i386.deb freeradius-ldap_1.1.3-3tls_i386.deb
秘密鍵の生成と、証明書発行要求の作成
% openssl req -new -newkey rsa:2048 -keyout rad-privkey.pem -out rad-req.pem
証明書発行要求の処理
# openssl ca -out rad-cert.pem -infiles rad-req.pem
秘密鍵のパスワードの解除
# openssl rsa -in rad-privkey.pem -out rad-priv.pem
DSAパラメータファイルの作成
# openssl dsaparam -out dh2048.pem 2048
CAの証明書 (OpenSSLでCAを設定した時に出来る)
WindowsXPに読み込ませる為に、DER形式の証明書を作成。
% openssl x509 -in cacert.pem -out cacert.der -outform DER
vim /etc/freeradius/eap.conf
eap {
#default_eap_type = md5
default_eap_type = peap
tls {
private_key_password = 88390LPP
private_key_file = /usr/local/RADIUS/rad-priv.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = /usr/local/RADIUS/rad-cert.pem
# Trusted Root CA list
CA_file = /usr/local/CA/cacert.pem
dh_file = /usr/local/RADIUS/dh2048.pem
random_file = /dev/urandom
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
== FreeRadius + LDAP
apt-get install freeradius freeradius-ldap
vim /etc/freeradius/radiusd.conf
modules{
ldap {
server = "ldap1.com"
basedn = "dc=ldap1,dc=com"
basedn = "ou=People,dc=ldap1,dc=com"
filter ="(&(objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
#access_attr = "dialupAccess"
}
authorize {
ldap #coment out
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
以下書き換える。
vim /etc/freeradius/users
DEFAULT Auth-Type = LDAP
Fall-Through = 1
view /etc/freeradius/clients.conf
client 127.0.0.1/24 {
secret = testing123
shortname = localhost
}
/etc/init.d/freeradius restart
radtest sakai PASSWORD localhost 0 testing123
== TLS
TLSやTTLSの場合は、debianのapt-getではモジュールが入らないので、ソースからいれる。
apt-get install build-essential
apt-get install apt-src
apt-src update
mkdir ~/build_freeradius
cd ~/build_freeradius
apt-src install freeradius
vim ~/build_freeradius/freeradius-1.1.3/debian/rules
#buildssl=--without-rlm_eap_peap --without-rlm_eap_tls --without-rlm_eap_ttls --without-rlm_otp
--without-rlm_sql_postgresql --without-snmp
#modulelist=krb5 ldap sql_mysql sql_iodbc
buildssl=--with-rlm_sql_postgresql_lib_dir=`pg_config --libdir`
--with-rlm_sql_postgresql_include_dir=`pg_config --includedir`
modulelist=krb5 ldap sql_mysql sql_iodbc sql_postgresql
vim ~/build_freeradius/freeradius-1.1.3/debian/control
Source: freeradius
Build-Depends: debhelper (>= 5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev,
libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, snmp, autotools-dev, dpatch (>= 2),
libperl-dev, libtool, dpkg-dev (>= 1.13.19), libssl-dev, libpq-dev
Build-Conflicts:
cd ~/build_freeradius/freeradius-1.1.3/debian
cat control.postgresql >> control
以下加える
vim ~/build_freeradius/freeradius-1.1.3/debian/changelog
freeradius (1.1.3-3tls) unstable; urgency=low
* Add TLS. Closes: #403389.
-- Jun Sakai
# cd ~/build_freeradius
# apt-src build freeradius
dpkg -i freeradius_1.1.3-3tls_i386.deb freeradius-ldap_1.1.3-3tls_i386.deb
秘密鍵の生成と、証明書発行要求の作成
% openssl req -new -newkey rsa:2048 -keyout rad-privkey.pem -out rad-req.pem
証明書発行要求の処理
# openssl ca -out rad-cert.pem -infiles rad-req.pem
秘密鍵のパスワードの解除
# openssl rsa -in rad-privkey.pem -out rad-priv.pem
DSAパラメータファイルの作成
# openssl dsaparam -out dh2048.pem 2048
CAの証明書 (OpenSSLでCAを設定した時に出来る)
WindowsXPに読み込ませる為に、DER形式の証明書を作成。
% openssl x509 -in cacert.pem -out cacert.der -outform DER
vim /etc/freeradius/eap.conf
eap {
#default_eap_type = md5
default_eap_type = peap
tls {
private_key_password = 88390LPP
private_key_file = /usr/local/RADIUS/rad-priv.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file = /usr/local/RADIUS/rad-cert.pem
# Trusted Root CA list
CA_file = /usr/local/CA/cacert.pem
dh_file = /usr/local/RADIUS/dh2048.pem
random_file = /dev/urandom
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
ラベル: RADIUS
# RINA さんの投稿 : 3:01
登録 投稿 [Atom]
コメントを投稿