ss5 mysql radius_在CentOS8上安装部署LDAP和RADIUS服务

1.安装部署LDAP服务

CentOS8不默认提供openldap-server安装包，本着系统有啥就用啥的原则，一是经过多轮筛选，二是系统可以平滑升级。因此，使用FreeIPA，其中提供了LDAP的服务，同时提供了一个还算可以的Web UI进行日常的管理操作，但没有提供树形结构，需要的可以自行使用LdapAdmin或者Apache的ApacheDirectorydStuido。

1.2 安装FreeIPA软件包

# dnf module -y install idm:DL1

1.3 安装FreeIPA服务

# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

Version 4.7.1

This includes:

* Configure a stand-alone CA (dogtag) for certificate management

* Create and configure an instance of Directory Server

* Create and configure a Kerberos Key Distribution Center (KDC)

* Configure Apache (httpd)

* Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

.

Example: master.example.com.

# confirm hostname and Enter

Server host name [master.test.org]:

# confirm domain name and Enter

Please confirm the domain name [master.test.org]:

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

# confirm realm name and Enter

Please provide a realm name [MASTER.TEST.ORG]:

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

# set Directory Manager password

Directory Manager password:

Password (confirm):

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

# set IPA admin password

IPA admin password:

Password (confirm):

......

The IPA Master Server will be configured with:

Hostname: master.test.org

IP address(es): 192.168.1.5

Domain name: test.org

Realm name: TEST.ORG

The CA will be configured with:

Subject DN: CN=Certificate Authority,O=TEST.ORG

Subject base: O=TEST.ORG

Chaining: self-signed

# confirm settings and proceed with [yes]

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Synchronizing time

No SRV records of NTP servers found and no NTP server or pool address was provided.

Using default chrony configuration.

Attempting to sync time with chronyc.

Time synchronization was successful.

Configuring directory server (dirsrv). Estimated time: 30 seconds

[1/44]: creating directory server instance

[2/44]: enabling ldapi

[3/44]: configure autobind for root

.....

.....

==============================================================================

Setup complete

Next steps:

1. You must make sure these network ports are open:

TCP Ports:

* 80, 443: HTTP/HTTPS

* 389, 636: LDAP/LDAPS

* 88, 464: kerberos

* 53: bind

UDP Ports:

* 88, 464: kerberos

* 53: bind

* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'

This ticket will allow you to use the IPA tools (e.g., ipa user-add)

and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful

安装完后初始化管理员，生成Kerberos Ticket.

# kinit admin

Password for admin@TEST.ORG: # IPA admin password

使用下面命令查看结果

# klist

Ticket cache: KCM:0

Default principal: admin@TEST.ORG

具体安装可以参看RedHat Identify Management的官方文档。

1.3 配置防火墙

# firewall-cmd --add-service=freeipa-4 --permanent

# firewall-cmd --reload

1.4 其它

主要是添加账号，进行组织架构管理

2.安装部署RADIUS服务

2.1 安装FreeRadius软件包

# dnf install freeradius freeradius-ldap freeradius-utils

2.2 配置/etc/radb/client.conf

配置RADIUS客户端及共享密钥。

client test-network {

ipaddr = 192.168.1.0/24

secret = test123

}

上述列子中共享密钥为“test123”的客户端为"192.168.1.0/24"这个网段，也可以时单台主机或者多个主机，该文档的注释部分有详细的说明。

1.2 配置文件/etc/raddb/sites-enabled/default和/etc/raddb/sites-enabled/inner-tunnel

找到如下内容

# The ldap module reads passwords from the LDAP database.

-ldap

替换为

#

# The ldap module reads passwords from the LDAP database.

ldap

if ((ok || updated) && User-Password) {

update {

control:Auth-Type := ldap

}

}

反注释下面内容

# Auth-Type LDAP {

# ldap

# }

1.3 配置文件/etc/raddb/mods-available/default

找到下面的内容

# server = "ldap.rrdns.example.org ldap.rrdns.example.org ldap.example.org"

...

# base_dn = "dc=example,dc=org"

...

替换为

server = "master.test.org" # 之前安装FreeIPA时设置的HOST

...

base_dn = "dc=test,dc=org"

...

1.4 配置防火墙

# firewall-cmd --add-service=radius --permanent

# firewall-cmd --reload

1.5 验证

1.5.1 打开调式模式

# radiusd -X

...

Listening on auth address * port 1812 as server default

Listening on acct address * port 1813 as server default

Listening on auth address :: port 1812 as server default

Listening on acct address :: port 1813 as server default

Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel

Opening new proxy socket 'proxy address * port 0'

Listening on proxy address * port 36752

Ready to process requests

1.5.2 测试

准备好测试用户(可以直接使用LDAP的管理员账号进行测试)，另外打开一个终端。

# radtest test password123456 ipa.test.org 1812

Sending Access-Request Id 105 from 0.0.0.0:44729 to 192.168.1.10:1812

User-Name = 'test'

User-Password = ' password123456'

NAS-IP-Address = 192.168.1.5

NAS-Port = 1812

Message-Authenticator = 0x00

Received Access-Accept Id 105 from 192.168.1.5:1812 to 192.168.1.5:44729 length 20

其中LDAP中的用户名为test，密码为password123456。

1.5.3 正式开启服务

# systemctl enable --now radiusd

参考文档