做vpn 项目的时候需要解决人员认证问题,最简单的办法是通过数据看库,最后决定采用的方法是strongswan 通过freeradius 认证用户人员信息,freeradius通过openldap验证strongswan的用户信息
一.安装zlib
下载zlib-1.2.3.tar.gz(或其他版本)
wgethttp://down1.chinaunix.net/distfiles/zlib-1.2.3.tar.gz
# ./configure --shared
# make
# make install
二.安装openssl
wgethttp://101.44.1.124/files/613900000275279B/mirrors.163.com/gentoo/distfiles/openssl-1.0.1j.tar.gz
# ./config shared #注意这里是用./config 会安装到/usr/local/ssl
# make
# make install
出现报错:
“POD document had syntax errors at /usr/bin/pod2man line 71.
make: *** [install_docs] 错误 25”
编辑/usr/bin/pod2man文件,注释掉第71行。
#配置库文件搜索路径
# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
# ldconfig -v
三.安装BerkeleyDB
下载db-5.3.28.tar.gz
解压到文件夹db-5.3.28
进入到文件夹db-5.3.28/build_unix
# ../dist/configure --sysconfdir=/etc #默认路径/usr/local/BerkeleyDB.5.3
# make
# make install
#配置库文件搜索路径
CPPFLAGS="-I/usr/local/BerkeleyDB.4.3/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/BerkeleyDB.4.3/lib"
export LDFLAGS
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.3/lib"
export LD_LIBRARY_PATH
cp /usr/local/BerkeleyDB/include/* /usr/include/
cp /usr/local/BerkeleyDB/lib/* /usr/lib/
# echo "/usr/local/BerkeleyDB.5.3/lib" >> /etc/ld.so.conf
#ldconfig -v
四.安装openldap
1.下载openldap-2.4.30.tgz
2.解压到openldap-2.4.30
3.进入文件夹openldap-2.4.30
# env CPPFLAGS="-I/user/include -I/usr/local/BerkeleyDB.5.3/include -I/usr/local/ssl/include-D_GNU_SOURCE" LDFLAGS="-L/usr/lib -L/usr/local/BerkeleyDB.5.3/lib -L/usr/local/ssl/lib" ./configure --prefix=/usr/local/openldap --with-tls=openssl -enable-dynamic (注意引入的三组临时变量需要对应BerkeleyDB和openSSL的库文件文件夹目录)
# make depend
# make
# make test #这一步时间会很长
# make install
4.配置库文件搜索路径
# echo "/usr/local/openldap/lib" >> /etc/ld.so.conf
# ldconfig -v
进入/usr/local/openldap/var/openldap-data执行:
cp /usr/local/openldap/var/openldap-data/DB_CONFIG.example DB_CONFIG
配置ldap:
修改:vi /usr/local/openldap/etc/openldap/slapd.conf
加入以下配置参数:
include /usr/local/openldap/etc/openldap/schema/collective.schema
include /usr/local/openldap/etc/openldap/schema/corba.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/duaconf.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/java.schema
include /usr/local/openldap/etc/openldap/schema/misc.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/openldap.schema
include /usr/local/openldap/etc/openldap/schema/ppolicy.schema
(注意:以上顺序请勿打乱)
#设置LDAP根目录和密码
databasebdb
suffix "dc=emm,dc=com"
rootdn"cn=Manager,dc=emm,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpwjianq123456
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory/usr/local/openldap/var/openldap-data
# Indices to maintain
indexobjectClasseq
5.拷贝配置文件,在启动LDAP
将freeradis安装包中的DOC /example/下的样例文件拷贝到LDAP配置文件目录下的架构/:/usr/local/openldap/etc/openldap/schema
#iplanet.ldif iplanet.schema openldap.schema postgresql_update_radacct_group_trigger.sql
ldap 启动:
/usr/local/openldap/libexec/slapd -d -1
backend_startup_one: bi_db_open failed! (13)
slap_startup failed (test would succeed using the -u switch)
移除(或删除)/usr/local/openldap/var/openldap-data
的这些文件: alock __db.001 __db.002 __db.003 __db.004 __db.005 __db.006
可以显示出日志
6.添加LDAP节点
版本:1
dn: dc=emm,dc=com
objectClass: dcObject
objectClass: organization
dc: emm
o: emm Company
dn: cn=Manager,dc=emm,dc=com
objectClass: organizationalRole
cn: Manager
dn: cn=test,cn=Manager,dc=emm,dc=com
objectClass: radiusprofile
objectClass: person
cn: test
sn: test
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 3
radiusTunnelType: VLAN
radiusUserCategory: 1
telephoneNumber: 87653321
userPassword: jianq123
7.导入节点
#/usr/local/openldap/bin/ldapadd -D “cn=Manager,dc=emm,dc=com”-w ldap密码 -f test.ldif
试服务是否正常 /usr/local/openldap/bin/ldapsearch -x -b ‘dc=emm,dc=com'
五.配置freeradius
1.修改 vi /usr/local/etc/raddb/modules/ldap
server = "192.168.4.20"
identity = "cn=Manager,dc=emm,dc=com"
password =jianq123456
#identity = "cn=admin,o=My Org,c=UA"
#password = mypass
basedn = "dc=emm,dc=com"
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
access_attr="cn"
password_attribute=userPassword
注意:cn=Manager,dc=emm,dc=com 必须与 /usr/local/openldap/etc/openldap/slapd.conf 一致,即Manager 的标志符号是:cn,emm的标志符号是:dc 等
2.修改 vi /usr/local/etc/raddb/sites-available 打开对ldap的支持,像下面这样:
authorize {
....
ldap
....
}
...
authenticate {
...
Auth-Type LDAP {
ldap
}
...
}
3.修改/usr/local/etc/raddb/clients.conf,增加以下内容:client 192.168.0.0/16 {
secret = rmss-radius-2011
}
#192.168.0.0/16:是你允许访问radius服务器的网段;
#secret:客户端需要使用的Shared Secret。
4.启动radius:
radius -X (可以查看打印信息)
五、测试Radius和LDAP是否能正常工作
#radtest test jianq123 192.168.10.6 0 radius-chenxj-secret
Sending Access-Request of id 149 to 192.168.10.6 port 1812
User-Name = "test"
User-Password = "jianq12345"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 192.168.10.6 port 1812, id=149, length=20
#这里的用户test和其密码test12345是LDAP里的,radtest命令格式请参看man。
#没有报错,说明成功了。
六.配置strongswan
1.配置ipsec.conf 文件 vi /etc/ipsec.conf
conn eap_ios
keyexchange=ikev2
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
esp = aes256-sha256,3des-sha1,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
mobike=yes
fragmentation=yes
#left
left=%any
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=192.168.4.245
#right
right=%any
rightsourceip=%config
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
auto=add
2.配置 strongswan 的 ipsec.secrets
vi /etc/ipsec.secrets
: PSK 0s+base64编码
3.配置strongswan的strongswan.conf文件:如下
plugins {
include strongswan.d/charon/*.conf
eap-radius {
class_group = yes
eap_start = no
servers{
192.168.4.245{
address = radius server IP address
secret = radius server secret
nas_identifer = ipsec-gateway
sockets = 20
}
}
}
}