Openldap

ddwrt + 自由半徑 + LDAP

  • March 20, 2017

我正在嘗試設置一個 LDAP 伺服器來驗證多個伺服器,例如 ftp 和 radius(甚至可能是 ssh?)

我有一個路由器(ddwrt),我已經能夠在 freeradius 中使用明文密碼進行身份驗證。現在我想使用 ldap 伺服器來儲存使用者和密碼

我已經設置了我的 ldap 伺服器,我可以使用以下方法對其進行身份驗證:

kevin@kevin-desktop:~$ radtest ldapuser password123 127.0.0.1 2 testing123
Sending Access-Request of id 182 to 127.0.0.1 port 1812
       User-Name = "ldapuser"
       User-Password = "password123"
       NAS-IP-Address = 127.0.1.1
       NAS-Port = 2
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=182, length=20

但是,當我嘗試使用 ddwrt -> freeradius 進行身份驗證時,我收到以下消息:

rad_recv: Access-Request packet from host 192.168.11.1 port 52101, id=0, length=129
       User-Name = "ldapuser"
       NAS-IP-Address = 192.168.11.1
       Called-Station-Id = "10da43747fcb"
       Calling-Station-Id = "accf8528974e"
       NAS-Identifier = "10da43747fcb"
       NAS-Port = 49
       Framed-MTU = 1400
       NAS-Port-Type = Wireless-802.11
       EAP-Message = 0x0200000d016c64617075736572
       Message-Authenticator = 0x99372f408b0979fc103af5112b81501a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
[ldap] performing user authorization for ldapuser
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> ldapuser
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser)
[ldap]  expand: dc=kevin,dc=local -> dc=kevin,dc=local
 [ldap] ldap_get_conn: Checking Id: 0
 [ldap] ldap_get_conn: Got Id: 0
 [ldap] attempting LDAP reconnection
 [ldap] (re)connect to 192.168.11.21:389, authentication 0
 [ldap] bind as cn=admin,dc=kevin,dc=local/pwd to 192.168.11.21:389
 [ldap] waiting for bind result ...
 [ldap] Bind was successful
 [ldap] performing search in dc=kevin,dc=local, with filter (uid=ldapuser)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
 [ldap] userPassword -> User-Password == "{SSHA}fqS7t/ZXimCnTgsXcsGDQF9WP+atmjVG"
 [ldap] userPassword -> Password-With-Header == "{SSHA}fqS7t/ZXimCnTgsXcsGDQF9WP+atmjVG"
[ldap] looking for reply items in directory...
 [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group LDAP {
 [ldap] Attribute "User-Password" is required for authentication.
 You seem to have set "Auth-Type := LDAP" somewhere.
 THAT CONFIGURATION IS WRONG.  DELETE IT.
 YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
++[ldap] = invalid
+} # group LDAP = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Request was previously rejected, inserting EAP-Failure
++[eap] = updated
[attr_filter.access_reject]     expand: %{User-Name} -> ldapuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.11.1 port 52101
       EAP-Message = 0x04000004
       Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +9
Ready to process requests.

如何使用 openldap 正確設置 openradius?

顯然,您必須將密碼以明文形式儲存在 ldap 伺服器上,PEAP 才能正常工作。

我遵循了本教程(非常基本的設置): https ://www.youtube.com/watch?v=weTfRslHhZY

腳步:

在 /etc/freeradius/modules/ldap 修改設置:

server = "server.address"
       identity = "cn=admin,dc=example,dc=com"
       password = admin_password
       basedn = "dc=example,dc=com"

在 /etc/freeradius/sites-available/default authorize 部分:

comment file
uncomment ldap

在 /etc/freeradius/sites-available/inner-tunnel

授權部分:

comment file
uncomment ldap

驗證部分:取消註釋:

Auth-Type LDAP {
       ldap
}

他們忽略了您必須以明文形式保存密碼的事實,我在這裡發現了這一點:

http://tech.sybreon.com/2011/01/18/freeradius-openldap-dd-wrt/

顯然你不能從一個簡單的組織組創建一個 posix 帳戶,你必須從我從這裡得到的一個 posix 組創建它:

http://www.linuxquestions.org/questions/linux-networking-3/can't-create-ldap-entries-with-phpldapadmin-272376/

最後我不得不使用 jxexplore 和 phpldapadmin 添加我的使用者,因為 jxexplore 不喜歡添加明文密碼。只需在 jxexplore 上創建沒有密碼的帳戶,然後在 phpldapadmin 中將密碼添加到使用者。(有機會我會更新的)

這裡的關鍵資訊是:

$$ ldap $$身份驗證需要屬性“使用者密碼”。

您似乎在某處設置了“Auth-Type := LDAP”。那個配置是錯誤的。刪除它。您正在阻止伺服器正常工作。

我看不到更新部分,但我敢打賭,您要麼將set_auth_type設置為 yes,要麼第 1 行的條目raddb/users類似於:

DEFAULT Auth-Type := LDAP

無論哪種情況,您都應該刪除該條目。

通過設置 Auth-Type,您將強制伺服器執行特定類型的身份驗證,考慮到請求中的屬性,這可能不適合。

有關伺服器如何決定使用哪種身份驗證方法的說明,請參閱FreeRADIUS wiki上的RADIUS 概念

對於 EAP 身份驗證(這是 DD-WRT 正在嘗試的),您需要將 LDAP 和 PAP 模組添加到 的授權部分sites-available/inner-tunnel,並確保您的Password-With-Header屬性指向正確的 LDAP 屬性。

引用自:https://serverfault.com/questions/839231